You could manually escape your inputs using quote (as described in DBI), but that's still a lot of interpolation and kind of a mess. Cleaner would be to use Placeholders and Bind Values. For example, if I were writing your code, it might look more like
my $sql = <<EOSQL;
insert into Table ( Ticket_ID,
Subject,
Status,
Priority,
Created_Time,
Queue,
Owner,
Class_Type,
Sent_Date)
values (?,?,?,?,?,?,?,?,now());
EOSQL
my $query = $dbh->prepare($sql) or die $dbh->errstr;
$query->execute($Ticket_ID,
$Subject,
$Status,
$Priority,
$Created_Time,
$Queue,
$Owner,
$Class_Type,
) or die $dbh->errstr;
Also note I corrected a typo in your SQL - in the future, make sure that what you post actually compiles/runs/demonstrates your issue, as described in How do I post a question effectively?.
#11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.
| [reply] [d/l] |
Hi
Thanks for replying...
I thought i have given enough information about my problem. Anyway with ur answer i have solved my problem
Thanks
Srinivasan
| [reply] |
You did give enough information in this case, but errors in posted code frequently act as red herrings, where people trying to help get confused about what's actually at issue. As well, if posted code doesn't display exactly the errors reported, many potential helpers will skip your issue. Such an error can also be inadvertently copied into a suggested solution, resulting in difficulties. And finally, I have frequently found that the act of coming up with my example code to post tracks down exactly the issue I needed help with.
#11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.
| [reply] |
Placeholders are hugely important! The un-quoted question marks in the query string represent, in effect, variables that are consumed by the query when it runs. Each question mark corresponds left-to-right with an entry in an array of values that is separately provided. (There must be exactly enough.) The values, therefore, are not “part of the SQL string” and so cannot be used to corrupt it ... thereby neatly avoiding the Bobby Tables problem. | |