On 12/20/2014 03:38 PM, Tim Bunce wrote:
On Fri, Dec 19, 2014 at 01:12:16PM +0100, Alexander Foken wrote:
Hello all,
this reminds me of a similar problem I had in 2000 with DBI,
DBD::Oracle, and Oracle. See
<http://marc.info/?t=95063959000004&r=1&w=2>,
<http://173.79.223.25/?l=dbi-dev&m=95077716125217&w=2>.
Problem was using named placeholders (":foo") in DBI and at the same
time use PL/SQL code containing variables (":bar"), DBI considered
both ":foo" and ":bar" to be placeholders instead of leaving ":bar"
alone and pass it to Oracle. A set of patches from Michael A. Chase
allowed disabling parts or all of the placeholder parsing, so using
unnamed placeholders ("?") allowed using PL/SQL variables in SQL
statements.
But the fundamental problem was not solved, there was and still is
no way to escape placeholders.
Can you, or anyone else, think of any situation where a backslash before
a ? or :foo (or even $1) style placeholder might be valid SQL?
So far no one has come up with one, so I'm getting more comfortable
with the idea that a backslash before a placeholder is a safe change.
I.e., there's a near-zero risk that upgrading a DBI driver to support
backslashes would cause breakage in existing code.
I am not sure why but a backlashed version makes me wary... What about
?? instead?
