Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Re: How's My Style Now?

by chb (Deacon)
on Feb 08, 2010 at 08:52 UTC ( [id://821967]=note: print w/replies, xml ) Need Help??


in reply to How's My Style Now?

Please please use placeholders in all SQL, everytime, everywhere, always. Imagine what happens when someone submits the value 0'; DROP TABLES; -- as $ref_id. If you use placeholders in your prepared statements, the DBI driver would quoute away some of the danger in this.

Replies are listed 'Best First'.
Re^2: How's My Style Now?
by Spenser (Friar) on Feb 08, 2010 at 11:39 UTC

    I usually do use placeholders. However, in this case one of the three possible SQL statements has no value required. How would deal with that? For the other two I can create a variable (e.g., $particular) and set it in block of the elsif and the else, to be used like so, $sth->execute($particular);. However, for the if statement, won't I get an error even if $particular is set to blank?

    -Spenser

    That's Spenser, with an "s" like the detective.

[reply]
      Just change your control flow slightly and prepare/execute the entire statement inside the if/elsif/else blocks (warning: untested code) 
      sub get_musings_entries {
# get musings from MySQL

my ($musing_id,$ref_id) = @_;
if($ref_id && $ref_id eq 'all') {
   $sth = $dbh->prepare(qq|SELECT musing_id, ref_id, 
                           heading,abstract, 
                           DATE_FORMAT(entry_date, '%M %e, %Y') 
                           FROM musings 
                           ORDER BY entry_date DESC|);
   $sth->execute();
}
elsif($ref_id) {
   $sth = $dbh->prepare(qq|SELECT musing_id, ref_id, 
                           heading, abstract, 
                           DATE_FORMAT(entry_date, '%M %e, %Y') 
                           FROM musings 
                           WHERE ref_id = '?'
                           ORDER BY entry_date DESC
                           LIMIT 10|);
   $sth->execute($ref_id);
}
else {
   $sth = $dbh->prepare(qq|SELECT musing_id, ref_id,  
                           heading, entry, 
                           DATE_FORMAT(entry_date, '%M %e, %Y') 
                           FROM musings 
                           WHERE musing_id = '?'|);
   $sth->execute($musing_id);
}

my $entries = $dbh->selectall_arrayref($sql_stmnt);
$sth->finish();  

return $entries;
}

      [download]
[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://821967]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others imbibing at the Monastery: (4)
As of 2024-04-19 17:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found