in reply to Re: Using multiple values in a SQL "in" statement
in thread Using multiple values in a SQL "in" statement

Normally your answers are very good, but this is not one of those answers. :-)

Putting values directly into a SQL statement is a classic example of what not to do, because it is vulnerable to SQL injection attacks if the ID array values are externally sourced. The reason it is recommended to bind values in is to protect themselves from this sort of thing! :-)

If you spot any bugs in my solutions, it's because I've deliberately left them in as an exercise for the reader! :-)
  • Comment on Re^2: Using multiple values in a SQL "in" statement

Replies are listed 'Best First'.
Re^3: Using multiple values in a SQL "in" statement
by locked_user sundialsvc4 (Abbot) on May 02, 2013 at 12:17 UTC

    Notice how, in one of the examples above, a string is (easily ...) constructed that consists of one-or-more question marks separated by commas.   This string is inserted dynamically (and safely) into the SQL string.   A corresponding parameter is added to the list of parameters at the same time, and the two are provided together when the query is run.   This technique is suitably dynamic, yet safe from injection.

    I will also endorse the notion of using DBIx::Class ... or SQL::Abstract if you have a lot of existing code to deal with.   They are solid and helpful.

Re^3: Using multiple values in a SQL "in" statement
by hdb (Monsignor) on May 02, 2013 at 10:13 UTC

    Thanks for the explanation. I had already realized that I did not read the question careful enough but I had not understood the full significance.

[reply]

In Section Seekers of Perl Wisdom