Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked

Re: SQL Quoting

by Masem (Monsignor)
on Jan 28, 2002 at 19:07 UTC ( #142064=note: print w/replies, xml ) Need Help??

in reply to SQL Quoting

Are you using DBI? If so, you should use placeholders to specify what gets put into the DB. Before being added, all questionable characters, including single and double quotes, are appropriate escaped to avoid problems.
use DBI; my $dbh = DBI->connect( ... ); my $sth = $dbh->prepare( "INSERT INTO table VALUES ( ?, ?, ? )" ) or d +ie $DBI->errstr; $sth->execute( $name, $address, $comment ) or die $DBI->errstr;
In the case above, the SQL that will be processed is:
INSERT INTO table VALUES ( $name, $address, $comment )
But with $name, $address, and $comment appropriate escaped to avoid problems with quoted characters.

Dr. Michael K. Neylon - || "You've left the lens cap of your mind on again, Pinky" - The Brain
"I can see my house from here!"
It's not what you know, but knowing how to find it if you don't know that's important

Replies are listed 'Best First'.
Re: Re: SQL Quoting
by Matts (Deacon) on Jan 28, 2002 at 22:24 UTC
    And the biggest bonus of all: Most modern DB's will cache the statement handle for you so that you can use the same SQL again and again, and it won't have to go through the SQL parsing overhead (not that there's much overhead, but it's still a bonus). Plus you can use $dbh->prepare_cached() if the underlying database doesn't do that for you.

    In summary, always use placeholders. There's simply no reason not to.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://142064]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (7)
As of 2018-05-23 13:28 GMT
Find Nodes?
    Voting Booth?