Re^2: DBD ERROR: error possibly near <*> indicator at char

@afoken I am not able to find how to chomp the <*> of before value e the 5th value of array var1 .. please help guys


my $sql2 = 'select name,value from A.Database2 minus select name,value
+ from A.database1';

my $sth2 = $dbh1->prepare($sql2);
$sth2->execute();
while (my @row = $sth2->fetchrow_array)
{
   
   print join(',', @row), "\n\n";

    chomp ;    
  
   push(@var1,$row[0]);


   
}

foreach (@var1) {
   
  print "$_\n";
}


my $sth3 = $dbh->prepare("select name,value from A.database1 where nam
+e in (".join(",",@var1).")") or die "Can't prepare statement: $DBI::e
+rrstr";


$sth3->execute(@var1);

while (my @row = $sth3->fetchrow_array)

{
print join(", ", @row), "\n";


DBD::Oracle::db prepare failed: ORA-00904: "APR_IMDG_MODE_ENABLED": in
+valid identifier (DBD ERROR: error possibly near <*> indicator at cha
+r 144 in 'select name,value from A where name in (a,b,c,d,<*>e)') [fo
+r Statement "select name,value from A where name in (a,b,c,d,e)"] at 
+hello.pl line 102.
Uncaught exception from user code:
        Can't prepare statement: ORA-00904: "APR_IMDG_MODE_ENABLED": i
+nvalid identifier (DBD ERROR: error possibly near <*> indicator at ch
+ar 144 in 'select name,value from  where name in (a,b,c,d,<*>e)') at 
+hello.pl line 102.
 at hello.pl line 102
[download]

Comment on Re^2: DBD ERROR: error possibly near <*> indicator at char Download Code

Replies are listed 'Best First'.
Re^3: DBD ERROR: error possibly near <*> indicator at char by roboticus (Chancellor) on Oct 14, 2017 at 16:32 UTC
You need to properly quote your values. Since they're strings, they should have quotes around them so the SQL should look like: `select name,value from A where name in ('a','b','c','d','e')` [download] While you could do it something like this: `# Make a quoted list of strings my @quoted_vals = map { "'$_'" } @var1; my $sth3 = $dbh->prepare("select name,value from A.database1 where nam +e in (" . join(",",@quoted_vals) . ")" ) or die "Can't prepare statement: $DBI::errstr";` [download] you probably don't want to. This is dangerous if you're not in total control of the values in @var1. Why is it dangerous? If one of the values contained "); drop table A.database1; --" then you could have someone destroying your database. The DBI library has a feature (placeholders) that protect you from SQL injection attacks when you're not in total control of the values. Basically it works by using question marks instead of the values in your statement, like this: `select name,value from A where name in (?, ?, ?, ?, ?)` [download] Then, when you execute the statement, you provide the values for the question mark slots. The DBI library will handle all the proper quoting. For your case, you'd do it like this: `# Build SQL statement with question marks instead of values my $sth3 = $dbh->prepare("select name,value from A.database1 where nam +e in (" . join(",", "?" x @var1) . ")" ) or die "Can't prepare statement: $DBI::errstr"; # Tell DBI to replace the question marks with the list of values $sth3->execute(@var1);` [download] Note: I've not tested this. I've done it many times in the past, but I don't currently have a database setup on this machine, so I'm doing it from memory. If you try this and there's a problem, let me know and I'll fix it up. ...roboticus When your only tool is a hammer, all problems look like your thumb.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^3: DBD ERROR: error possibly near <*> indicator at char
by roboticus (Chancellor) on Oct 14, 2017 at 16:32 UTC

You need to properly quote your values. Since they're strings, they should have quotes around them so the SQL should look like:

select name,value from A where name in ('a','b','c','d','e')
[download]

While you could do it something like this:

# Make a quoted list of strings
my @quoted_vals = map { "'$_'" } @var1;
my $sth3 = $dbh->prepare("select name,value from A.database1 where nam
+e in ("
         . join(",",@quoted_vals) . ")"
         ) or die "Can't prepare statement: $DBI::errstr";
[download]

you probably don't want to. This is dangerous if you're not in total control of the values in @var1. Why is it dangerous? If one of the values contained "); drop table A.database1; --" then you could have someone destroying your database.

The DBI library has a feature (placeholders) that protect you from SQL injection attacks when you're not in total control of the values. Basically it works by using question marks instead of the values in your statement, like this:

select name,value from A where name in (?, ?, ?, ?, ?)
[download]

Then, when you execute the statement, you provide the values for the question mark slots. The DBI library will handle all the proper quoting.

For your case, you'd do it like this:

# Build SQL statement with question marks instead of values
my $sth3 = $dbh->prepare("select name,value from A.database1 where nam
+e in ("
         . join(",", "?" x @var1) . ")"
         ) or die "Can't prepare statement: $DBI::errstr";

# Tell DBI to replace the question marks with the list of values
$sth3->execute(@var1);
[download]

Note: I've not tested this. I've done it many times in the past, but I don't currently have a database setup on this machine, so I'm doing it from memory. If you try this and there's a problem, let me know and I'll fix it up.

...roboticus

When your only tool is a hammer, all problems look like your thumb.

[reply]
[d/l]
[select]