stopped lisp symbols as values from being able to inject sql (SECURITY BUG)

[clsql.git] / db-odbc / odbc-api.lisp

diff --git a/db-odbc/odbc-api.lisp b/db-odbc/odbc-api.lisp
index 5d2acf964e88c5b1c25b60a3d2e984e18de3bced..076a59f45628434cdcb107171a9262948951930a 100644 (file)
--- a/db-odbc/odbc-api.lisp
+++ b/db-odbc/odbc-api.lisp
@@ -673,9 +673,12 @@ as possible second argument) to the desired representation of date/time/timestam
                    (#.$SQL_SMALLINT (get-cast-short data-ptr)) ;; ??
                    (#.$SQL_INTEGER (get-cast-int data-ptr))
                    (#.$SQL_BIGINT (get-cast-big data-ptr))
-                   (#.$SQL_DECIMAL
-                    (let ((*read-base* 10))
-                      (read-from-string (get-cast-foreign-string data-ptr))))
+                   ;; TODO: Change this to read in rationals instead of doubles
+                   ((#.$SQL_DECIMAL #.$SQL_NUMERIC)
+                     (let* ((*read-base* 10)
+                            (*read-default-float-format* 'double-float)
+                            (str (get-cast-foreign-string data-ptr)))
+                       (read-from-string str)))
                    (#.$SQL_BIT (get-cast-byte data-ptr))
                    (t
                     (case c-type
@@ -702,8 +705,7 @@ as possible second argument) to the desired representation of date/time/timestam
                        (get-cast-binary data-ptr out-len *binary-format*))
                       ((#.$SQL_C_SSHORT #.$SQL_C_STINYINT) ; LMH short ints
                        (get-cast-short data-ptr)) ; LMH
-                      (#.$SQL_C_SBIGINT (uffi:allocate-foreign-object #.$ODBC-BIG-TYPE)
-                       (get-cast-short data-ptr))
+                      (#.$SQL_C_SBIGINT (get-cast-big data-ptr))
                       #+ignore
                       (#.$SQL_C_CHAR
                        (code-char (get-cast-short data-ptr)))