Jan-Henrik,
Thanks for your reply.
One of the things that I'm still unsure about is string escaping on untrusted input values.
dbmail does a lot of 'INSERT INTO table (f1,f2,f3) VALUES (long, long, _escaped_string_)
where the escaped strings are always put through the proper string escaping calls in the client lib of the selected backend.
As I understand things, for inserts this can be solved by using prepared statements (which is part of what I really like about libzdb).
But how about:
SELECT * FROM table WHERE f1 LIKE '%somestring%';
where again, somestring is totally untrusted user input.
can I rewrite that code to do
SELECT * FROM table WHERE f1 LIKE ?
and bind the argument to somestring with the globbing char tacked onto both ends?
Anyway, it looks valid enough. Just havent gotten around to testing it. I'll be busy adapting the internal db-api to align with libzdb's, but it's totally straightforward. Just a lot of changes because dbmail uses/used num_rows() a lot, and because dbmail uses one single global connector pointer (yuk).
I've already packaged libzdb, just need to convince my dbmail debian sponsor to help me out on this package as well. As soon as it's uploaded to unstable I'll notify you.
deb http://debian.nfgd.net/debian unstable main
kind regards,