Re^6: DBI do() SQL injection

You can always fix that by wrapping the value into a quote

And is there any advantage to using quote instead of placeholders?

sub run_do_with_placeholders($dbh, $id, $name) {
    $dbh->do(qq{
        INSERT INTO customers
        (id,name)
        VALUES(?, ?)},
        undef, $id, $name);
}
[download]

There are a few places (table and column names, mostly) where you're required to use quote instead of placeholders, but, IMO, you should always use placeholders for data values where possible and never rely on quoting unless you absolutely have to.

Comment on Re^6: DBI do() SQL injection Select or Download Code

Replies are listed 'Best First'.
Re^7: DBI do() SQL injection by choroba (Cardinal) on Oct 20, 2023 at 17:38 UTC
> There are a few places (table and column names, mostly) where you're required to use quote instead of placeholders No, please don't. Use `quote_identifier` for table and column names. `quote` is useful when placeholders can't be used, e.g. you're sending the SQL statement to a function that doesn't accept any other arguments and you can't change it; but generally placeholders are easier and cleaner. `map{substr$_->[0],$_->[1]\|\|0,1}[\\|\|{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^ARGV,3]`	[reply] [d/l] [select]
Re^8: DBI do() SQL injection by dsheroh (Monsignor) on Oct 21, 2023 at 11:21 UTC
No, please don't. Use `quote_identifier` for table and column names. Whoops! Good catch, and thanks for the correction!	[reply] [d/l]