Of course I can - here's the one from the documentation:

my $rows_deleted = $dbh->do(q{
    DELETE FROM table
    WHERE status = ?
}, undef, 'DONE') or die $dbh->errstr;
[download]

It is always beneficial to read the documentation.

doh...thanks! In all the other occasions like

$dbh->do(qq{ 
insert into customers
(id,name)
values('$id','$name')}
)
[download]

can you get injected?

If you have no control over the contents of $id, you shouldn't use it directly. What if $id was set to 42', 'Batman'); drop table customers; --?

In fact, I tried it with two different database drivers. Interestingly, in DBD::SQLite, the table wasn't removed, as it doesn't support multiple statements at a time. On the other hand, DBD::Pg happily removed the table and crashed when I tried using it later.

Read more... (2 kB)

You can always fix that by wrapping the value into a quote:

    $dbh->do(join "",
             'INSERT INTO customers(id,name) VALUES(',
             $dbh->quote($id), ', ',
             $dbh->quote($name),
             ')');
[download]

map{substr$_->[0],$_->[1]||0,1}[\*||{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^*ARGV,3]

Yes, so don't do that! :-)

---

🦛