Of your three, #2 looks best to me. It's a decent heuristic.

#3 is, I think, actually impossible in general. Consider:

my $v1 = 'field3'; my $v2 = 'value'; sql_interp('SELECT * FROM table WHERE field1 = ', $v1, ' AND field2 = +', $v2)

#3 would presumably make this be equivalent to field1 = 'field3' AND field2 = 'value', but the programmer might well have intended it to be field1 = field3 AND field2 = 'value', at which point the DWIMmery would merely have resulted in a perplexing bug. There's no way to determine which of the two was intended (let alone the other possible permutations), so it's better just to require the programmer to be explicit.


In reply to Re: Improving the security of SQL::Interp by Porculus
in thread Improving the security of SQL::Interp by markjugg

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":