my $table = 'book';
my $condition = '1';
my $sort_field = 'id';
my $sort_order = 'DESC";
my $sql = "SELECT id, name, location FROM $table WHERE $condition ORDE
+R BY $sort_field $sort_order";
print $sql,"\n";
my $sth = $dbh->prepare($sql);
$sth->execute() or warn "Unable to query $table" $dbh->errstr . "\n" .
+ $!;
while (my $row = $sth->fetchrow_hashref()) {
print $row->{'id'},"\t",$row->{'name'},"\t",$row->{'location'},"\n";
+;
}
Remember: single quotes give you a literal, double quotes interpolates included variables. Also, if this is untrusted user input you are manipulating (say the kind collected at a browser) you would be much safer to use bind variables, by replacing these two lines like so:
my $sql = "SELECT id, name, location FROM $table WHERE ? ORDER BY ? ?"
+;
. . .
$sth->execute($condition,$sort_field,$sort_order);
Note: I've never tried to feed a $sort_order as a bind variable and have no idea if that would work. But a few tests ought to let you know if it will. I do know that the rest of this should work, although I have not tested this code, leaving that to you.
-- Hugh
if( $lal && $lol ) { $life++; }
|