Fix various quoting issues in sending query parameters to server.

The code used to just assume that if the parameter's SQL type is SQL_INTEGER
or SQL_SMALLINT, it doesn't need quoting. While that's true for valid
integers values, there were no safeguards that the bound string is actually
valid input. The server will just throw an error on invalid input, but we
need to quote it correctly to send it to the server in the first place.
For example, if the string "123, 'inject'" is bound to an SQL_INTEGER param,
we need to quote it or the server will interpret it as part of the query.

Also add a test case for this.

Reported by Jeremy Faith.

0 files changed, 0 insertions, 0 deletions