Description:
When binding with a SQL_WVARCHAR parameter, the parameter is inserted as/is into the SQL string, instead of being properly quoted. This can be seen in execute.c in the ODBC driver source. At the point where parameter substituion occurs in SQLExecute on line 436, there is special treatment of string types except the wide datatypes (SQL_WCHAR / SQL_WVARCHAR etc). These should be pre/post fixed with L'"' instead of ending up at the case default where they are just literally inserted into the SQL string.
How to repeat:
The below code snippet will fail, but the only slightly different snippet following that will not:
<connect to ODBC etc>
if(SQLBindParameter(hStmt1, 1, SQL_PARAM_INPUT, SQL_C_WCHAR,
SQL_WVARCHAR, sizeof(szParam), 0, szParam, wcslen(szParam), &nIndicator)
!= SQL_SUCCESS)
{
HandleOdbcError(g_hDbc, hStmt1);
return 1;
}
if(SQLPrepare(hStmt1, "SELECT c1 FROM t1 WHERE c2 = ? ORDER BY c1",
SQL_NTS) != SQL_SUCCESS)
{
HandleOdbcError(g_hDbc, hStmt1);
return 1;
}
if(SQLExecute(hStmt1) != SQL_SUCCESS)
{
HandleOdbcError(g_hDbc, hStmt1);
return 1;
}
<clean up code>
<connect to ODBC etc>
if(SQLBindParameter(hStmt1, 1, SQL_PARAM_INPUT, SQL_C_WCHAR,
SQL_VARCHAR, sizeof(szParam), 0, szParam, wcslen(szParam), &nIndicator)
!= SQL_SUCCESS)
{
HandleOdbcError(g_hDbc, hStmt1);
return 1;
}
if(SQLPrepare(hStmt1, "SELECT c1 FROM t1 WHERE c2 = ? ORDER BY c1",
SQL_NTS) != SQL_SUCCESS)
{
HandleOdbcError(g_hDbc, hStmt1);
return 1;
}
if(SQLExecute(hStmt1) != SQL_SUCCESS)
{
HandleOdbcError(g_hDbc, hStmt1);
return 1;
}
<clean up code>
Suggested fix:
Either make sure that SQL_WVARCHAR, SQL_WCHAR and SQL_WLONGCHAR are handled properly, or, which might at this point be more appropriate as MyODBC don't report there types as beiing supported, raise a Datatype not supported error.
Description: When binding with a SQL_WVARCHAR parameter, the parameter is inserted as/is into the SQL string, instead of being properly quoted. This can be seen in execute.c in the ODBC driver source. At the point where parameter substituion occurs in SQLExecute on line 436, there is special treatment of string types except the wide datatypes (SQL_WCHAR / SQL_WVARCHAR etc). These should be pre/post fixed with L'"' instead of ending up at the case default where they are just literally inserted into the SQL string. How to repeat: The below code snippet will fail, but the only slightly different snippet following that will not: <connect to ODBC etc> if(SQLBindParameter(hStmt1, 1, SQL_PARAM_INPUT, SQL_C_WCHAR, SQL_WVARCHAR, sizeof(szParam), 0, szParam, wcslen(szParam), &nIndicator) != SQL_SUCCESS) { HandleOdbcError(g_hDbc, hStmt1); return 1; } if(SQLPrepare(hStmt1, "SELECT c1 FROM t1 WHERE c2 = ? ORDER BY c1", SQL_NTS) != SQL_SUCCESS) { HandleOdbcError(g_hDbc, hStmt1); return 1; } if(SQLExecute(hStmt1) != SQL_SUCCESS) { HandleOdbcError(g_hDbc, hStmt1); return 1; } <clean up code> <connect to ODBC etc> if(SQLBindParameter(hStmt1, 1, SQL_PARAM_INPUT, SQL_C_WCHAR, SQL_VARCHAR, sizeof(szParam), 0, szParam, wcslen(szParam), &nIndicator) != SQL_SUCCESS) { HandleOdbcError(g_hDbc, hStmt1); return 1; } if(SQLPrepare(hStmt1, "SELECT c1 FROM t1 WHERE c2 = ? ORDER BY c1", SQL_NTS) != SQL_SUCCESS) { HandleOdbcError(g_hDbc, hStmt1); return 1; } if(SQLExecute(hStmt1) != SQL_SUCCESS) { HandleOdbcError(g_hDbc, hStmt1); return 1; } <clean up code> Suggested fix: Either make sure that SQL_WVARCHAR, SQL_WCHAR and SQL_WLONGCHAR are handled properly, or, which might at this point be more appropriate as MyODBC don't report there types as beiing supported, raise a Datatype not supported error.