http://www.perlmonks.org?node_id=219474


in reply to Re: Quote mark in string messing up mySQL INSERT
in thread Quote mark in string messing up mySQL INSERT

Using $dbh->quote or placeholders will also prevent you from suffering SQL injection attacks... which could clear out your database if you're unlucky! tom
  • Comment on Re: Re: Quote mark in string messing up mySQL INSERT

Replies are listed 'Best First'.
Re: Re: Re: Quote mark in string messing up mySQL INSERT
by Cmdr_Tofu (Scribe) on Dec 13, 2002 at 04:10 UTC
    Is it safe to use apostrophes instead of quotes? In the past I have always done:
    $dbh->do("insert into mytable values('$myStringWhichPossiblyContainsQu +otes', '$another string', ...);
    Rohit
      Nope!!
      What if your variables contain apostrophes? Or other 'nasty' characters?

      Stick with either $dbh->quote($variable) or use placeholders.