markjugg has asked for the wisdom of the Perl Monks concerning the following question:
$result = $db->iquery("SELECT * FROM foo WHERE a = ",\$b)It's easy to read, and $b will automatically be translated into a bind variable. My concern is that on a number of occasions I have seen well meaning programmers do this instead:
$result = $db->iquery("SELECT * FROM foo WHERE a = ",$b)The difference is the backslash before the $b. The rub is that the code produces the same result either way, but the second format has possibly introduced an opportunity for a SQL injection attack. What suggestions do you have for how SQL::Interp might detect such cases, so that it can warn or die? Here are some brainstorms I've thought of, possibly activated only when a "strict mode" is enabled.