Memory leak in the dequote_bytea function in quote.c in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.0.0 for Perl allows context-dependent attackers to cause a denial of service (memory consumption) by fetching data with BYTEA columns.
Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function.
$dbh->{TYPE} now returns SQL_TYPE_TIMESTAMP instead of 1114 for timestamp columns. (In 1.31_x {x| x<8} $sth->{TYPE} returned 0 but reported by ["Hirche, Joachim" <Joachim.Hirche@cimconcepts.com>]).
Raised required versions to Perl 5.6.1 and DBI 1.35
Fix syntax error related to pg_server_version (CPAN bugs #2492 and #2755)
Cache multiple calls to pg_server_version.
Notice messages generated by the database now use the perl warning mechanism instead of going to stderr.
Dominic Mitchell <dom@semantico.com>
$dbh->prepare() rewrites the SQL statement into an internal form, striping out comments and whitespace, and if PostgreSQL > 7.3 takes the stripped statement and passes that to Postgres' PREPARE statement, then rewrites the statement as 'EXECUTE "DBD::PG::cached_query n" ($1, $2, ... $n, $n+1)' for DBD::Pg's execute.
Currently disabled until PREPARE works a little better
Allows the use of :n and :foo bind params. So: (SELECT * FROM foo WHERE 1 = :this and 2 = :that) will now work.
Complains on execute when unbound bind params are submitted (instead of defaulting to NULL)
Switched over to use driver.xst.
pg_error() removes \n's rather than truncating the message on the first \n.
Fixed statement scan problem where the preparse of "SELECT foo[3:33] from bar" was scanning :33 as a placeholder
Moved the quoting of bind values out of execute() and into bind -- as there is no need to requote the value every time execute is called.
:veryverylongplaceholdername == Long walk, Sort pier -- fixed.
quote() is now in C and uses same code as bind_param.
Quoting and dequoting now use libpq quoting functions where available (I still need to take the libpq functions swiped out of quote.c and move it into libpqswip.c with license info &c., and switch ifndefs to ifdefs)
bind_param() will convert from 1,0 to TRUE/FALSE when pg_type is PGBOOLOID.
Fixed many heap buffer overruns.
Added support for the get_info() method [Greg Sabino Mullane]
Added tests for POD validation [Mark Stosberg]
Several improvements to column_info, including:
Fixed column_info so NULLABLE field shows correctly. [kevin@sysexperts.com]
REMARKS field works now [Mark Stosberg]
COLUMN_DEF fixed
COLUMN_SIZE fixed
pg_constraint column added to display column constraints
additional documentation and tests added
make test is now more intelligent and will bail out early if db connection fails. [Greg Sabino Mullane]