We don't bite newbies here... much | |
PerlMonks |
Re^3: DBD::SQLite select failsby AppleFritter (Vicar) |
on Aug 12, 2014 at 12:31 UTC ( [id://1097117]=note: print w/replies, xml ) | Need Help?? |
It's a habit of mine; I tend to escape special characters in double-quoted strings. After all, you said you wanted to execute the following SQL statement:
without any interpolation possibly happening in Perl. However, in this case it's not actually necessary to do so: remove the backslashes from the INSERT OR REPLACE statement, and the script will still work. Don't be afraid to experiment; give it a try.
It depends. On Perl's side, you will have to escape everything that Perl might otherwise interpret/interpolate. For the database side, take a look at SQLite's syntax diagrams, and also the reference page for expressions, which has this to say:
Then again, the only thing that you'll have to escape on the DB is the single quote character itself. To do that, put in two single quotes. Replacing the INSERT OR REPLACE line in the above script with the following (note I also unescaped the ampersands here):
results in:
The backslash in the output is due to Data::Dumper, BTW, so don't let that confuse you. All in all, I'd recommend two things:
For instance (linebreaks added for clarity), for statements that don't change:
For statements that DO change, use ->prepare() and ->bind_param() instead:
Don't assemble query strings in Perl using interpolation or string concatenation, this will lead to bugs and/or security risks. ("Little Bobby Tables" and all that.)
In Section
Seekers of Perl Wisdom
|
|