[Gambas-devel] MySQL class ready

Tue Apr 15 14:13:23 CEST 2008

Let me check, I remember that I qouted table names, and the arguments too.

David

----- Original Message ----
From: Benoit Minisini <gambas at ...1...>
To: mailing list for gambas developers <gambas-devel at lists.sourceforge.net>
Sent: Monday, April 14, 2008 10:55:04 AM
Subject: Re: [Gambas-devel] MySQL class ready

On lundi 14 avril 2008, David Villalobos Cambronero wrote:
> Hi all,
>
> Just to be clear, I'm not trying to make a new interface between MySQL and
> Gambas (I'm not that good programing), I just want to make things easier
> for people that use MySQL and Gambas.
>
> Attached is the project for MySQL.class, please read this carefuly:
>
> 0- It was made with Gambas 3 but it woks with Gambas 2.X, since just use gb
> and gb.db. 1- The goal for this project is to construct MySQL statements
> and pass them to the Connection.Exec function. 2- Most of MySQL datatypes
> have been implemented as string constants, so the user hasn't to memorize
> all the data types. 3- The project has tow classes, MySQL and DataTypes,
> but only MySQL is Exported. 4- The project has two modules, both are
> examples of use. So you can switch the startup one for practice. These
> modules are NOT requiered for the project. 5- Each module has many
> commented lines, some are for explanation, others to see the Gambas way to
> create tables, and at the end of every table definition in Module2 are two
> lines for comparing the MySQL.class way and Gambas way. 6- In the attached
> file called Real.sql are stored the Original tables definitions, from
> sakila exampled (provided for MySQL Labs) and othe tables from one of my
> application. You can use it to determinate if MySQL.class is efficient or
> not. 7- I send all this information for Benoit to decide if this project is
> good enoght to be part of Gambas.
>
> Please let me know your comments
>
> Regards
>
> David
>

Apparently the string arguments of your methods are not quoted before being 
sent to the database driver. 

This is very dangerous, as people using your code will be subject to SQL 
injection attacks without notice.

Regards,

-- 
Benoit Minisini

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Gambas-devel mailing list
Gambas-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gambas-devel

      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ