in reply to Re^2: DBD ERROR: error possibly near <*> indicator at char
in thread DBD ERROR: error possibly near <*> indicator at char
You need to properly quote your values. Since they're strings, they should have quotes around them so the SQL should look like:
select name,value from A where name in ('a','b','c','d','e')
While you could do it something like this:
# Make a quoted list of strings my @quoted_vals = map { "'$_'" } @var1; my $sth3 = $dbh->prepare("select name,value from A.database1 where nam +e in (" . join(",",@quoted_vals) . ")" ) or die "Can't prepare statement: $DBI::errstr";
you probably don't want to. This is dangerous if you're not in total control of the values in @var1. Why is it dangerous? If one of the values contained "); drop table A.database1; --" then you could have someone destroying your database.
The DBI library has a feature (placeholders) that protect you from SQL injection attacks when you're not in total control of the values. Basically it works by using question marks instead of the values in your statement, like this:
select name,value from A where name in (?, ?, ?, ?, ?)
Then, when you execute the statement, you provide the values for the question mark slots. The DBI library will handle all the proper quoting.
For your case, you'd do it like this:
# Build SQL statement with question marks instead of values my $sth3 = $dbh->prepare("select name,value from A.database1 where nam +e in (" . join(",", "?" x @var1) . ")" ) or die "Can't prepare statement: $DBI::errstr"; # Tell DBI to replace the question marks with the list of values $sth3->execute(@var1);
Note: I've not tested this. I've done it many times in the past, but I don't currently have a database setup on this machine, so I'm doing it from memory. If you try this and there's a problem, let me know and I'll fix it up.
...roboticus
When your only tool is a hammer, all problems look like your thumb.
|
|---|