in reply to Using CGI.pm params to make a DBI MySQL query

Placeholders, as frequently mentioned, are your friends: 

my $sth=$dbh->prepare("INSERT INTO tbl VALUES(?, ?, ?)");
$sth->execute(param('Col1'), param('Col2'), param('Col3'));

[download]
Yes, this is an extra statement, but it does make life easier for the SQL parser.

Replies are listed 'Best First'.
Re: Re: Using CGI.pm params to make a DBI MySQL query
by merlyn (Sage) on Oct 09, 2001 at 20:03 UTC
    You'll want scalar there, lest you be burned the day someone gives you none or two parameters for Col1 and friends. 
    my $result = $dbh->do("INSERT INTO tbl VALUES(?,?,?)", undef,
  map scalar param($_), qw(Col1 Col2 Col3));

    [download]

    -- Randal L. Schwartz, Perl hacker

[reply]
[d/l]

In Section Seekers of Perl Wisdom