Perl and SQL
David A. Sinck
plug-devel@lists.PLUG.phoenix.az.us
Tue Mar 25 21:27:03 2003
\_ SMTP quoth Victor Odhner on 3/25/2003 06:26 as having spake thusly:
\_
\_ Hi, Austin.
\_ I see nothing nasty about storing data in variables,
\_ especially if the data volume is large.
\_
\_ I presume you are using DBI. It's very common to
\_ prepare a variable $sql that contains the whole
\_ query.
\_
\_ In building such a string, use '' for quoting
\_ instead of "" to keep your escape characters.
That's fine if you can see it all at once yourself and know it's
safe. Otherwise, use
my $sql_part = $dbh->quote($nasty_raw_unclean_user_input);
or preferablye
my $sql = 'insert into something (autoinc, textcolumn) values (0, ?)';
$sth->execute($nasty_raw_unclean_user_input);
# see 'Placeholder and Bind Values' in the DBI man page
It's worked for all but two cases I've run into. Error trapping is a
good thing, but is left here as an exercise to the reader.
David