[Gambas-devel] MySQL class ready

[Benoit Minisini]

On lundi 14 avril 2008, David Villalobos Cambronero wrote:
> Hi all,
>
> Just to be clear, I'm not trying to make a new interface between MySQL and
> Gambas (I'm not that good programing), I just want to make things easier
> for people that use MySQL and Gambas.
>
> Attached is the project for MySQL.class, please read this carefuly:
>
> 0- It was made with Gambas 3 but it woks with Gambas 2.X, since just use gb
> and gb.db. 1- The goal for this project is to construct MySQL statements
> and pass them to the Connection.Exec function. 2- Most of MySQL datatypes
> have been implemented as string constants, so the user hasn't to memorize
> all the data types. 3- The project has tow classes, MySQL and DataTypes,
> but only MySQL is Exported. 4- The project has two modules, both are
> examples of use. So you can switch the startup one for practice. These
> modules are NOT requiered for the project. 5- Each module has many
> commented lines, some are for explanation, others to see the Gambas way to
> create tables, and at the end of every table definition in Module2 are two
> lines for comparing the MySQL.class way and Gambas way. 6- In the attached
> file called Real.sql are stored the Original tables definitions, from
> sakila exampled (provided for MySQL Labs) and othe tables from one of my
> application. You can use it to determinate if MySQL.class is efficient or
> not. 7- I send all this information for Benoit to decide if this project is
> good enoght to be part of Gambas.
>
> Please let me know your comments
>
> Regards
>
> David
>

Apparently the string arguments of your methods are not quoted before being 
sent to the database driver. 

This is very dangerous, as people using your code will be subject to SQL 
injection attacks without notice.

Regards,

-- 
Benoit Minisini