DBI Query insert issue....

SriniK has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

I have used the following code to insert in to DB

 $dbh->do("insert into Table (Ticket_ID,Subject,Status,Priority,Create
+d_Time,Queue,Owner,Class_Type,Sent_Date) value (\'$Ticket_ID\',\'$Sub
+ject\',\'$Status\',\'$Priority\',\'$Created_Time\',\'$Queue\',\'$Owne
+r\',\'$Class_Type\',now());");
[download]

this code working fine for a time. But now its working if the subject($subject) contains a quote(') like $subject contain Can't get the Mail.
please help me on this.

thanks
Srinivasan

Comment on DBI Query insert issue.... Download Code

Replies are listed 'Best First'.
Re: DBI Query insert issue.... by runrig (Abbot) on Jul 03, 2012 at 16:28 UTC
See What are placeholders in DBI, and why would I want to use them?.	[reply]
Re: DBI Query insert issue.... by kennethk (Abbot) on Jul 03, 2012 at 16:59 UTC
You could manually escape your inputs using quote (as described in DBI), but that's still a lot of interpolation and kind of a mess. Cleaner would be to use Placeholders and Bind Values. For example, if I were writing your code, it might look more like `my $sql = <<EOSQL; insert into Table ( Ticket_ID, Subject, Status, Priority, Created_Time, Queue, Owner, Class_Type, Sent_Date) values (?,?,?,?,?,?,?,?,now()); EOSQL my $query = $dbh->prepare($sql) or die $dbh->errstr; $query->execute($Ticket_ID, $Subject, $Status, $Priority, $Created_Time, $Queue, $Owner, $Class_Type, ) or die $dbh->errstr;` [download] Also note I corrected a typo in your SQL - in the future, make sure that what you post actually compiles/runs/demonstrates your issue, as described in How do I post a question effectively?. #11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.	[reply] [d/l]
Re^2: DBI Query insert issue.... by SriniK (Beadle) on Jul 04, 2012 at 09:36 UTC
Hi Thanks for replying... I thought i have given enough information about my problem. Anyway with ur answer i have solved my problem Thanks Srinivasan	[reply]
Re^3: DBI Query insert issue.... by kennethk (Abbot) on Jul 04, 2012 at 20:19 UTC
You did give enough information in this case, but errors in posted code frequently act as red herrings, where people trying to help get confused about what's actually at issue. As well, if posted code doesn't display exactly the errors reported, many potential helpers will skip your issue. Such an error can also be inadvertently copied into a suggested solution, resulting in difficulties. And finally, I have frequently found that the act of coming up with my example code to post tracks down exactly the issue I needed help with. #11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.	[reply]
Re: DBI Query insert issue.... by sundialsvc4 (Abbot) on Jul 03, 2012 at 20:12 UTC
Placeholders are hugely important! The un-quoted question marks in the query string represent, in effect, variables that are consumed by the query when it runs. Each question mark corresponds left-to-right with an entry in an array of values that is separately provided. (There must be exactly enough.) The values, therefore, are not “part of the SQL string” and so cannot be used to corrupt it ... thereby neatly avoiding the Bobby Tables problem.