bugup401:
Yeah, using placeholders is perfect for avoiding SQL injection attacks. To do so, you just put a question mark in place of the values you need to substitute. Then when you execute the statement, you provide one value for each question mark in your statement:
my $STMT = $DBH->prepare(q{
SELECT SND.firstname as snd_fname, SND.lastname as snd_lname,
REC.firstname as rec_fname, REC.lastname as rec_lname
from MSG as M
-- We'll use SND as the alias for the sender
join USERS as SND on M.msg_from = SND.usrid
-- and REC as the alias for the recipient
join USERS as REC on M.msg_to = REC.usrid
where M.msg_id = ?
});
# Fetch the data for message 5
my $msg_id = 5;
$STMT->execute($msg_id);
while (my $row = $STMT->fetchrow_hashref) {
# do stuff with the data
}
...roboticus
When your only tool is a hammer, all problems look like your thumb.