djlerman has asked for the wisdom of the Perl Monks concerning the following question:

Dear Monks.

I am in the process of an sql parameterization project and would like some clarity on a few finer points.

Relating to "LIKE ?" is this the best practice: 
@input                = ();

$string = "abc";

push(@input, '%' . $string . '%');

$sth=$dbh->prepare("SELECT *
                    FROM table
                    WHERE field LIKE ?") or die $dbh->errstr;
$sth->execute(@input) or die $dbh->errstr;

[download]


What is the best way to use in(): 
@input                = ();

$string = "1,2,3";

push(@input, $string);

$sth=$dbh->prepare(" SELECT *
                    FROM table
                    WHERE field IN (?) ") or die $dbh->errstr;
$sth->execute(@input) or die $dbh->errstr;

[download]
Thank You. 🙏

Replies are listed 'Best First'.
Re: sql bind parameterization clarity
by Corion (Patriarch) on Aug 26, 2022 at 18:21 UTC

    For IN, I use something like:

    my $placeholders = join ",", (('?') x @values);
my $sth = $dbh->prepare(" SELECT *
                    FROM table
                    WHERE field IN ($placeholders) ") or die $dbh->err
+str;
$sth->execute(@values);

    [download]
[reply]
[d/l]
[select]

      -- for postgres you can simplify that a bit by
where field = any ( ? ) 

-- followed by
$sth->execute(\@values)  -- note the backslash

      [download]

[reply]
[d/l]
      Thank You.
[reply]

Back to Seekers of Perl Wisdom