Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??


Placeholders are actually very easy, and prevent a lot of problems. To use placeholders, you just replace variable references with question marks, then provide the values as arguments to execute.

So suppose you have something like this:

my $ST = $DB->prepare("select foo, bar from my_table " ."where col1 < '$abc' or (col1 > '$def' and col3 +< $fgh)"); $ST->execute();

As mentioned, you change the variables to question marks and provide the variables to the execute statement, like this:

my $ST = $DB->prepare("select foo, bar from table where col1 < ? or (c +ol1 > ? and col3 < ?)"); $ST->execute($abc, $def, $fgh);

Note that we also removed the quotes on the first two variable references, because the database already knows that column1 is a string.

Using placeholders is nice, because you can use the same statement with different values for different executes which will let the database compile the statement once and re-use the same execution plan for successive runs. (Well, at least *some* databases will take advantage of that.)

Placeholders are even more important because they take advantage of any funky special cases for quoting the variable values, and thereby help you resist SQL injection attacks. For example, suppose $abc in the example above contains the value "'; drop table my_table; --". Then your original statement would be passed to the database as the following (with a few newlines thrown in for readability):

select foo, bar from my_table where col1 < ''; drop table my_table ; --' or (col1 > 'def_val' and col3 < fgh_val)

That's a recipe for disaster. So make the effort to learn placeholders a bit better (shouldn't take long), and you'll never go back to doing it the hard way.


When your only tool is a hammer, all problems look like your thumb.

In reply to Re^3: Getting mysql data into gd by roboticus
in thread Getting mysql data into gd by shanta

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others drinking their drinks and smoking their pipes about the Monastery: (8)
    As of 2021-01-27 23:11 GMT
    Find Nodes?
      Voting Booth?