Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation

Re: Quote mark in string messing up mySQL INSERT

by htoug (Deacon)
on Dec 12, 2002 at 11:19 UTC ( #219282=note: print w/replies, xml ) Need Help??

in reply to Quote mark in string messing up mySQL INSERT

Either placeholders or use the quote function in DBI.

I would recode your example thus (completely untested and with no warranty):

sub insertAttribute{ my ($serverID, $featureID, $value) = @_; $_ = $dbh->quote($_) for qw($serverID, $featureID, $value); my $sqlINS = qq{ INSERT INTO attribute VALUES ($serverID, $feature +ID, $value) }; $dbh->do ($sqlINS); }
Remember: $dbh->quote(expression) is your friend.

Replies are listed 'Best First'.
Re: Re: Quote mark in string messing up mySQL INSERT
by shoez (Sexton) on Dec 13, 2002 at 00:23 UTC
    Using $dbh->quote or placeholders will also prevent you from suffering SQL injection attacks... which could clear out your database if you're unlucky! tom
      Is it safe to use apostrophes instead of quotes? In the past I have always done:
      $dbh->do("insert into mytable values('$myStringWhichPossiblyContainsQu +otes', '$another string', ...);
        What if your variables contain apostrophes? Or other 'nasty' characters?

        Stick with either $dbh->quote($variable) or use placeholders.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://219282]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (3)
As of 2021-10-26 02:25 GMT
Find Nodes?
    Voting Booth?
    My first memorable Perl project was:

    Results (90 votes). Check out past polls.