Perl and SQL

[David A. Sinck]

\_ SMTP quoth Victor Odhner on 3/25/2003 06:26 as having spake thusly:
\_
\_ Hi, Austin.
\_ I see nothing nasty about storing data in variables,
\_ especially if the data volume is large.
\_ 
\_ I presume you are using DBI.  It's very common to
\_ prepare a variable $sql that contains the whole
\_ query.
\_ 
\_ In building such a string, use '' for quoting
\_ instead of "" to keep your escape characters.

That's fine if you can see it all at once yourself and know it's
safe.  Otherwise, use 

my $sql_part = $dbh->quote($nasty_raw_unclean_user_input);

or preferablye

my $sql = 'insert into something (autoinc, textcolumn) values (0, ?)';
$sth->execute($nasty_raw_unclean_user_input);  
# see 'Placeholder and Bind Values' in the DBI man page

It's worked for all but two cases I've run into.  Error trapping is a
good thing, but is left here as an exercise to the reader.

David