Open fcr-- opened 5 years ago
MySQL support is on the way, but it requires way more changes since the methods for row access are all different. Done!
This is great news, I'll have a look at getting the ODBC and Firebird drivers working with the non-table parameters style soon.
Do you have any plans to expose prepared statements? It's very useful when doing batch work.
@blumf Yes, I'm currently implementing those changes into the mysql drivers. Others will follow!
Btw, I've just added a generic luasql_conn_execute
function that could be used for all the drivers.
I don't wanna be annoying, but is this ever getting merged? Do you need help merging it?
I too am wondering if this will ever be merged! In late 2014 I was working on a lightweight blogging engine written in lua, when I discovered during coding of the comment form that luasql would make the engine vulnerable to SQL injections. SQL injections are a fatal security flaw for a blogging engine, so I shelved the project.
I just came back to the project today, thinking of resurrecting it, but prepared statements are still unsupported. Using lua + MySQL for anything that involves untrusted input really needs this feature.
I too am wondering if this will ever be merged! In late 2014 I was working on a lightweight blogging engine written in lua, when I discovered during coding of the comment form that luasql would make the engine vulnerable to SQL injections. SQL injections are a fatal security flaw for a blogging engine, so I shelved the project.
I just came back to the project today, thinking of resurrecting it, but prepared statements are still unsupported. Using lua + MySQL for anything that involves untrusted input really needs this feature.
Perhaps make a function that acts like prepare (fake prepare), finish your project in development environment only and if prepared statements ever come, you will change this one function only (or find and replace in all files).
With this modification we can enjoy the security benefits of having prepared-statement-alike additional parameters. To do this, the additional parameters should be passed after the statement in the execute method.
This means that a new prepared statement will be created on each execute call, so don't expect a huge performance increase. This is done for safety reasons.