I suspect your definition of a "placeholder" is my definition of a "host variable".

They are essentially the same thing. Though when I think of 'host variables' (or bind variables), it's usually in languages that support embedding a named variable inside the sql statement, e.g. "select stuff from table where id_column = :id_number", and 'id_number' is a variable in the program. The Perl/DBI way is to use a question mark instead of a program variable (which is what many databases natively support anyway), then bind a value to it when (or before) you execute the statement. (some databases support named parameters which would look like a host variable, but in perl you'd still have to bind a value to it, so it wouldn't be an actual perl 'host' variable).

Placeholders, bind variables, host variables, or whatever you want to call them are a good idea in any programming language database API that supports them, and pasting raw unfiltered (and untrusted) user input into a SQL statement in any programming language is bad.

That was seriously uncalled for. The AM's point was good, and I must say that had I run across a forum where someone was posting on why host variables are a good thing, I would have been left similarly confused. Yes, you can search. But you shouldn't have to.

Remember that general Perl knowledge does not imply knowledge of various APIs. And I know of top-flight Perl programmers who have never used SQL. If someone has used SQL extensively, but from C, then being introduced to a new vocabulary to understand an old concept is going to leave you unhappy with good reason.

Incidentally host variables are not quite placeholders (they use the same API in DBI, the syntax is a tad different - :foo vs ? - and the placeholder syntax is more portable), but they are close enough to get the point.

Update: Apologies all (especially original poster tilly) if this node seemed a little hard on the Anonymous Monk. I just thought it was odd that someone would go to the trouble of reading a DBI-related post without knowing what a placeholder was, then complain about it without doing any research.

I'm the Anonymous Monk you've been corresponding with -- I just noticed your update. Can you clarify for me where it indicates that this is a DBI thread?

I found this article via an RSS link which wasn't flagged as DBI. DBI is mentioned very few times in the _comments_ and only twice (after update) in the article. The original instance of it didn't actually relate placeholders and DBI, only saying that installing the latest DBI offers more security.

Thank you tilly for adding the newbie-friendly explanation.

Sorry to have eaten up so much time with this thread, but I appreciate everyone's feedback.

I'm the Anonymous Monk you've been corresponding with -- I just noticed your update. Can you clarify for me where it indicates that this is a DBI thread?
In fact, the original post didn't identify placeholders at all, something that brother tilly has added to the post. I am totally at fault for jumping on your innocent comment with hob-nailed boots. I hope you accept this apology -- I have been working with DBI almost exclusively since 1998, so placeholders are as obvious to me as the print statement.
They have a good saying in Texas -- "Be sure your words are soft and sweet, in case you have to eat them some day." Sure wish I'd remembered that when I clicked on 'Reply'. You can bet I'll think about it in the future.
--t. alex
Life is short: get busy!

Why do you feel the need to get personal?

I'm not a regular to this site (thusly, I don't plan on registering), but there seems to be some huge assumption that all of perlmonks.org readership comes from people that spend vast amounts of time on this site. I find my way here from time to time based on an interesting RSS headline that I would like to know more about.

If the mentality on this site is that I need to have read all articles prior to this one to understand what the article is talking about (and thus, be a perlmonks.org expert, as I'm sure you are), and the other readers of this site are as hostile as you are, then it's time for me to move on.

Good day to you.

Why do you feel the need to get personal?
Well, I guess we've veered into the humorous portion of the day, because it's hard to understand how my post could be construed as personal when you're posting as an Anonymous Monk. :)
... but there seems to be some huge assumption that all of perlmonks.org readership comes from people that spend vast amounts of time on this site.
Not really, we just assume that if you are commenting on something that you have something useful to say .. and that presumes that you understand the technical background. The original post had links to other nodes with relevant information, which you should have read if you were going to respond and not waste everyone's time.
If the mentality on this site is that I need to have read all articles prior to this one to understand what the article is talking about (and thus, be a perlmonks.org expert, as I'm sure you are), and the other readers of this site are as hostile as you are, then it's time for me to move on.
Yes, surprisingly, we do expect posters to make intelligent, informed comments. It keeps the noise level down. And if you have misinterpreted my polite remonstrations and reasoning as hostility, your skin is way too thin.
--t. alex
Life is short: get busy!