Daniel,
I cannot help with opendbx, but I can comment on the way Glorp generates
SQL. You typically write blocks of code that look like a normal
Smalltalk block, but they have limitations to what you can write in
there. These blocks are evaluated and get converted to SQL by some kind
of Visitor. The SQL string is then concatenated out of fragments.
BUT: Glorp does not have an API to provide SQL fragments to include in a
query. So there is not an easy way to inject SQL into a Glorp genaretd
query. What you are asking for is not related to Glorp, but to the
underlying DB interface, DBXTalk in your case.
If you want to provide the user with the ability to provide SQL clauses
and construct queries out of that, I guess you are on your own.
So the question is: do your users write SQL fragments or are you
thinking of a tool to construct queries by example? Do you provide
objects to fill in some example data or do your users know the tables?
The right solution for you depends on what exactly you have in mind. For
our project we use Glorp and provide forms to enter string fragments or
number ranges or dates etc. Then we use these in Glorp's blocks. This
way the structure of the query is provided as Smalltalk-code and only
user-provided data for the right-side operand of comparisons is provided
by the user. It is extremely hard to misuse this because the query
String will always be fixed and so fragments that include SQL will
always lead to SQL errors.
I am still learning about all the powerful things Glorp can do to
cunstruct subqueries, outer joins, having clauses and stuff, but every
time I find something I am excited ;-).
HTH
Joachim
Am 14.01.14 07:06, schrieb Daniel Lyons:
I'd like to run some ad-hoc queries against my database without opening up a
security vulnerability. I don't see any direct way to use parameterized queries
from DBXTalk. I'd expect to see something like #executeStatement:withArguments:
but I don't. In fact, I don't even see odbx_escape in the image anywhere.
What's the trick here? Surely GlorpDBX et. al. are not gluing together bits of
SQL with bits of user-supplied text and running it unescaped. What am I missing?
http://www.linuxnetworks.de/doc/index.php/OpenDBX/C_API/Usage#Executing_statements
Thanks for your time,
—
Daniel Lyons
--
-----------------------------------------------------------------------
Objektfabrik Joachim Tuchel mailto:jtuc...@objektfabrik.de
Fliederweg 1 http://www.objektfabrik.de
D-71640 Ludwigsburg http://joachimtuchel.wordpress.com
Telefon: +49 7141 56 10 86 0 Fax: +49 7141 56 10 86 1
