Re: dbi mysql concat interpolation

in reply to dbi mysql concat interpolation

Are you trying to get a single quote into a string in SQL? Backslash works in Perl, but SQL uses a different way to escape quotes:

my $sth = $dbh->prepare("SELECT CONCAT('My', '''', 'QL')");
[download]

You should use placeholders, though, to avoid the hard work:

my $sth = $dbh->prepare('SELECT CONCAT(?, ?, ?)');
$sth->execute(qw(My ' QL));
[download]

لսႽ† ᥲᥒ⚪⟊Ⴙᘓᖇ Ꮅᘓᖇ⎱ Ⴙᥲ𝇋ƙᘓᖇ

Comment on Re: dbi mysql concat interpolation Select or Download Code

Replies are listed 'Best First'.
Re^2: dbi mysql concat interpolation by davido (Cardinal) on Feb 19, 2015 at 17:45 UTC
+1 for suggesting placeholders/bind-values. Takes the guesswork out of how to construct a safe, valid interpolated string, and could be more efficient if the `execute` may be called multiple times for a given `prepare`. It's just a good habit too; someday there would be a temptation to interpolate something into the SQL that isn't a string literal, and at that point you start getting into potential SQL injections. Dave	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^2: dbi mysql concat interpolation
by davido (Cardinal) on Feb 19, 2015 at 17:45 UTC

+1 for suggesting placeholders/bind-values. Takes the guesswork out of how to construct a safe, valid interpolated string, and could be more efficient if the execute may be called multiple times for a given prepare. It's just a good habit too; someday there would be a temptation to interpolate something into the SQL that isn't a string literal, and at that point you start getting into potential SQL injections.

Dave

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom