Answer: What are placeholders in DBI, and why would I want to use them?

I'd just like to add that extensive use of DBI-placeholders renders a CGI-app basically IMMUNE to the so-called "SQL-injection" family of attacks, which consist of shoving a bit of nasty SQL instrucions down your CGI's thraot, which it would - if it doesn't use placeholders or another escaping tactic, just pass on to the DB.
This, all by itself, is a very, very nice thing to have, i think. additionally, you can never be sure that some data you could've sworn would never contain a single-quote doesn't end up containing one some day, leaving you with a sometimes quite cryptic syntax-error.

Comment on Answer: What are placeholders in DBI, and why would I want to use them?
Re: Answer: What are placeholders in DBI, and why would I want to use them? by EvdB (Deacon) on Nov 13, 2003 at 09:21 UTC
You mean that DBI queries should be written: `my $query = $dbh->prepare ( "select id, name from user where name = ?" ); $query->execute( $name_from_params );` [download] Instead of: `my $query = $dbh->prepare ( "select id, name from user " . "where name = '$name_from_params'" ); $query->execute();` [download] Couldn't agree more. --`tidiness is the memory loss of environmental mnemonics`	[reply] [d/l] [select]
Re: Answer: What are placeholders in DBI, and why would I want to use them? by jZed (Prior) on Nov 13, 2003 at 15:50 UTC
You have mentioned two good reasons for using placeholders - security and problems with embedded quote marks. There is a third reason which applies in many situations: placeholders, when properly placed outside of a loop save time by allowing the RDBMS to parse and optimize the SQL statement once and then execute it many times without re-parsing or re-optimizing it.	[reply]


Perl-Sensitive Sunglasses
	PerlMonks

Answer: What are placeholders in DBI, and why would I want to use them?

The best material for plates (tableware) is: