in reply to Re^6: DBI do() SQL injection
in thread DBI do() SQL injection

> There are a few places (table and column names, mostly) where you're required to use quote instead of placeholders

No, please don't. Use quote_identifier for table and column names.

quote is useful when placeholders can't be used, e.g. you're sending the SQL statement to a function that doesn't accept any other arguments and you can't change it; but generally placeholders are easier and cleaner.

map{substr$_->[0],$_->[1]||0,1}[\*||{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^*ARGV,3]

Replies are listed 'Best First'.
Re^8: DBI do() SQL injection
by dsheroh (Monsignor) on Oct 21, 2023 at 11:21 UTC
    No, please don't. Use quote_identifier for table and column names.
    Whoops! Good catch, and thanks for the correction!
[reply]
[d/l]

In Section Seekers of Perl Wisdom