comment on

Always use the single quotes. WRT the perl API, you can also use placeholders

Sorry, bad advise:

"Always use single quotes" is too much work. There is no need to quote numbers, doing so makes the job harder for the database.
"Always use single quotes" is just plain wrong. It makes people think "just add the magic quotes and everything will be well". Even with the quotes, the SQL is still vulnerable to SQL injection. You really want proper quoting here.
While most databases use single quotes, some exotic ones may use other quotes. So, you first need to find out HOW to quote properly.

Luckily, all this has already been done in DBI and the various DBDs, there is no need to reinvent the wheel. So, the last part should really read: "You SHOULD use placeholders". Unfortunately, DBI does not force you to use them, because that would be too much work. It really should, so you better read that advice as "You MUST use placeholders".

Some technical background: DBI guarantees that you can use "?" placeholders with each and every database supported by DBI, even if the database itself does not support placeholders. DBI will automatically insert all bind values, properly quoted, into the SQL statement before it is passed to the database. Since most DBs do support placeholders, using them costs really nothing. Even better, because most DB APIs use seperate ways for the SQL statement and the bind values, there is absolutely no need to quote anything at the Perl or the DB API level. As a nice side effect, your code can work with every database that understands SQL (unless you use some DB-specific, non-standard SQL). And, for extra bonus points, the prepared SQL statement with placeholders can be cached.

Imagine you need to run 20.000 queries (insert, select, update, whatever) against a database, that differ only in the values used. Using hardcoded SQL, you have to generate 20.000 SQL statements, pass them to the database, have the database parse them 20.000 times, and finally execute the one of the 20.000 parsed SQL statements, returning a result. With placeholders, you write ONE query containing placeholders, pass that query ONCE to the database, have the database parse that query ONCE, and finally you play ping-pong with the database: One set of values in, one result out, without any parsing or quoting, as fast as your Perl code can handle the data.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

In reply to Re^2: Referencing MySQL Results by Column by afoken
in thread Referencing MySQL Results by Column by TheBiscuit

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


We don't bite newbies here... much
	PerlMonks