[Devel] Single-quote escaping in unixodbc + now() vs. getdate()
+ openser crash in DB connection lost
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Jan 15 20:37:29 CET 2007
Jerome Martin wrote:
> Hello Daniel,
>
>
> On Sun, 2007-01-14 at 21:32 +0200, Daniel-Constantin Mierla wrote:
>> I just committed on the cvs an updated to unixodbc which escapes single
>> quotes, backslashes and NULL characters. Could you give it a try and let
>> me know if works? Long term solution would be to use prepare statements
>> APIs -- needs more investigation.
>
> I just took a look at your code, but did not test it, because it won't
> work. It is not as simple as that for single-quotes.
>
> I even wonder if it is possible to do it cleanly in unixodbc module,
> maybe this needs to be done directly in the DB adapter code or in the
> other modules.
>
> The outline is : in order to insert a litteral single-quote in a
> single-quote-delimited SQL statement, you need to double the literal
> single-quote :
>
> Let's say I know a place named "Joe's" :
> correct statement : SELECT phone FROM myTable WHERE phone='Joe''s';
> INCORRECT one : SELECT phone FROM myTable WHERE phone='Joe\'s';
>
> What do you think ?
I have just checked with postgresql. The PQEscape... function also
converts ' into ''
regards
klaus
--
Klaus Darilion
nic.at
More information about the Devel
mailing list