Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Answer: What are placeholders in DBI, and why would I want to use them?

by schweini (Friar)
on Nov 13, 2003 at 08:29 UTC ( #306737=categorized answer: print w/replies, xml ) Need Help??

Q&A > database programming > What are placeholders in DBI, and why would I want to use them? - Answer contributed by schweini

I'd just like to add that extensive use of DBI-placeholders renders a CGI-app basically IMMUNE to the so-called "SQL-injection" family of attacks, which consist of shoving a bit of nasty SQL instrucions down your CGI's thraot, which it would - if it doesn't use placeholders or another escaping tactic, just pass on to the DB.
This, all by itself, is a very, very nice thing to have, i think. additionally, you can never be sure that some data you could've sworn would never contain a single-quote doesn't end up containing one some day, leaving you with a sometimes quite cryptic syntax-error.

  • Comment on Answer: What are placeholders in DBI, and why would I want to use them?
Replies are listed 'Best First'.
Re: Answer: What are placeholders in DBI, and why would I want to use them?
by EvdB (Deacon) on Nov 13, 2003 at 09:21 UTC
    You mean that DBI queries should be written:
    my $query = $dbh->prepare ( "select id, name from user where name = ?" ); $query->execute( $name_from_params );
    Instead of:
    my $query = $dbh->prepare ( "select id, name from user " . "where name = '$name_from_params'" ); $query->execute();
    Couldn't agree more.

    --tidiness is the memory loss of environmental mnemonics

Re: Answer: What are placeholders in DBI, and why would I want to use them?
by jZed (Prior) on Nov 13, 2003 at 15:50 UTC
    You have mentioned two good reasons for using placeholders - security and problems with embedded quote marks. There is a third reason which applies in many situations: placeholders, when properly placed outside of a loop save time by allowing the RDBMS to parse and optimize the SQL statement once and then execute it many times without re-parsing or re-optimizing it.
Log In?
Username:
Password:

What's my password?
Create A New User
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (5)
As of 2016-10-01 20:07 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    How many different varieties (color, size, etc) of socks do you have in your sock drawer?






    Results (7 votes). Check out past polls.