Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re: Re: Re: Test if string is already quote()'d?

by Seumas (Curate)
on Jun 17, 2003 at 22:32 UTC ( #266671=note: print w/ replies, xml ) Need Help??


in reply to Re: Re: Test if string is already quote()'d?
in thread Test if string is already quote()'d?

It's true that I do have a degree of control over things here in that all of the software code is written by my hand and my hand only - and that the input comes almost entirely from form-input by users.

Part of my intention here, however, was to decide whether I would have to force myself to always send quoted or non-quoted variables to my functions and stick with that practice, or if I could very easily write my functions so that they could say "oh, this is already quoted so I'll use it as-is" and "this one isn't quoted, so I'll quote() first before applying it into the SQL query".

Also, doing some quote testing would probably suck as I allow HTML in the input (it's an auction site).

Since I was finally able to refine my abstraction layer to something very simple when it comes to the INSERT and UPDATES, I've decided to stick with the practice of _NEVER_ quote()'ing anything. I'll just pass everything to my Auction::DB class and let it do the work (I know, I should have done this in the first place, but I was looking for a solution outside of putting it in my DB class since I wasn't quite ready to roll it out yet).


Here is the solution I have used:

I have an sqlInsert() method in my Auction::DB class:

sub sqlInsert { my($self, $table, $data) = @_; my $names = join(", ", map { /^[_|-](.*)/; } keys %{$data}); my $pholders = join(', ', ('?') x keys %{$data}); $self->_sqlExecute("INSERT INTO $table ($names) VALUES($pholders)", +values %{$data}); } sub _sqlExecute { my ($self, $sql, @values) = @_; $self->_sqlConnect(); my $retval; eval { my $sth = $self->{_dbh}->prepare($sql); $retval = $sth->execute(@values); }; if ($@) {croak ($@ . "\nSQL: $sql\n" . Dumper(\@_));} return $retval; }


Then I call it like this (by the way, I use PostgreSQL but this should work with most DBs):

sub createNewAccount { my ($self, $fields) = @_; # Verify required fields. $self->_validateUsername($fields->{_USERNAME}); $self->_validateEmailAddress($fields->{_EMAIL_ADDRESS}); # Populate other required fields. $fields->{_PASSWORD} = $self->_makePassword(); $fields->{_CREATION_DATE} = 'now()'; } $self->sqlInsert('user_accounts',$fields); $self->sqlCommit; }


Now, I never need to concern myself with quoting again. And yes, I know I should have just done this in the first place, but I was looking to tidy up my existing code separately from my transition to a mod_perl/OO based re-write of the site (which I am actually in the process of doing right now).

I also understand that Perl is a horrible first language and it's a really bad idea to make Perl your first introduction to object oriented coding. However, I started my software in Perl five years ago, that's what it's in now, it's what I know the best (so far) and it's more important to maintain/improve the software and the site as it is now than to rewrite a 16,000+ line program in an entirely different (and new to me) language.

Fortunately, I've had Perlmonks to refer to as a lot of the pitfalls and questions I've encountered during this transition to OO have already been asked by others. :)


Comment on Re: Re: Re: Test if string is already quote()'d?
Select or Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://266671]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (12)
As of 2015-07-31 10:40 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (276 votes), past polls