Esteban Lorenzano writes: > no its not :) > I’m just changing servers and old .com.ar domain is still not refreshed (and > you, accomplishing murphy’s law, just tried to hit the site now :). > you can find it at dbxtalk.smallworks.eu
Thanks! This makes me feel much better. > anyway… no, we did not implemented sql injection defence. Is our > understanding that that is better done at pharo level, before calling any dbx > function. I'm sure that if I could replace ' with '' on the way out it would be sufficient. Forgive my ignorance, but what's the simplest way to do that? Database vendors tend to provide a function that does at least that, and OpenDBX provides access to that via their odbx_escape function, but round-tripping through FFI for each component of a string may have undesirable performance ramifications. -- Daniel Lyons
