Re: Cleanup time

Corion's got good ideas, but as it looks like you're playing with DBI, you'd really want to go with place holders if you can. Even if this is an intranet application, you should be thinking about security and taintness of your data at all times; DBI's placeholders do any automatic quoting of what goes in as to protect your database from harm.

If I assume that you eventually have code like:

# @where_clause has been fully defined

my $query = "SELECT * FROM $table WHERE ";
$query .= join " AND ", @where_clause;

my $sth->prepare( $query ) or die #stuff;
$sth->execute( ) or die #stuff;
[download]

Then you can still use placeholders by pushing the data into another array, which is then passed to the execute() function:

# From your code above:
if (defined($allocated_to) && $allocated_to ne '') {
push @where_clause, "UPPER(ALLOCATED_TO) LIKE UPPER(?)";
push @entries, 'ALLOCATED_TO';
push @values, '\%$allocated_to\%';
} 
#
# yada yada yada
#
my $query = "SELECT * FROM $table WHERE ";
$query .= join " AND ", @where_clause;

my $sth->prepare( $query ) or die #stuff;
$sth->execute( @values ) or die #stuff;
[download]

-----------------------------------------------------
Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain
"I can see my house from here!"
It's not what you know, but knowing how to find it if you don't know that's important

Comment on Re: Cleanup time Select or Download Code

Replies are listed 'Best First'.
Re: Re: Cleanup time by maderman (Beadle) on Nov 08, 2001 at 10:49 UTC
Hi all, thanks for your replies. I've completed my task with a hash (%in) and used placeholders as follows: $contact_person = param("contact_person"); $allocated_to = param("allocated_to"); $status = param("status"); #Active or Closed die "At least one of the 'ALLOCATED_TO' or 'CONTACT_PERSON' fields " ."must be non-blank!" if ($contact_person eq '' && $allocated_to eq ''); $status =~ s/\s+//g; %in = ('allocated_to' => "$allocated_to", 'contact_person' => "$contact_person"); undef @where_clause; undef @entries; #one or both of allocated_to/contact_person undef @values; #entered name(s) from form #Identify if allocated_to and/or contact_person #have been selected - create some arrays while( my($key,$value) = each(%in) ) { if ($in{$key}) { push @where_clause, "UPPER($key) LIKE UPPER(?)"; push (@entries, $key); push (@values, "\%$value\%") } } #start composing the SQL: $sql = sprintf "SELECT FAULT_NO,FIX_STATUS,%s FROM TEST WHERE %s ", join(", ", @entries), join(" OR ", @where_clause); if ($status eq 'Active') { #Perform search for ACTIVE reports: $sql .= " AND (FIX_STATUS IN ('PENDING RESPONSE', 'AWAITING FIX', 'UNDER INVESTIGATION') )"; } elsif ($status eq 'Closed') {#Perform search for CLOSED reports: $sql .= " AND (FIX_STATUS IN ('FIXED', 'NO ACTION REQUIRED', 'FOR INFORMATION', 'UNRESOLVED') )"; } else { die "Value of \'$status\' unknown." } $sql .= " ORDER BY FAULT_NO DESC "; $sth = $dbh->prepare($sql); $sth->execute( @values ); [download] This works a charm! Again, thank to all for you contributions. Regards, Stacy	[reply] [d/l]

Replies are listed 'Best First'.

Re: Re: Cleanup time
by maderman (Beadle) on Nov 08, 2001 at 10:49 UTC


$contact_person = param("contact_person");
$allocated_to   = param("allocated_to");
$status         = param("status"); #Active or Closed
   
die "At least one of the 'ALLOCATED_TO' or 'CONTACT_PERSON' fields "
   ."must be non-blank!" if ($contact_person eq '' 
    && $allocated_to eq '');
  
$status =~ s/\s+//g;
  
%in = ('allocated_to'   => "$allocated_to",
       'contact_person' => "$contact_person");
  
undef @where_clause;
undef @entries; #one or both of allocated_to/contact_person
undef @values;  #entered name(s) from form
 
#Identify if allocated_to and/or contact_person
#have been selected - create some arrays
 
while( my($key,$value) = each(%in) ) {
  if ($in{$key}) {
    push @where_clause, "UPPER($key) LIKE UPPER(?)";
    push (@entries, $key);
    push (@values, "\%$value\%")
    }
}

#start composing the SQL:
  
$sql = sprintf "SELECT FAULT_NO,FIX_STATUS,%s FROM TEST 
       WHERE %s ", join(", ", @entries), 
       join(" OR ", @where_clause);
  
if ($status eq 'Active') { #Perform search for ACTIVE reports:
    
$sql .= " AND (FIX_STATUS IN ('PENDING RESPONSE',
                              'AWAITING FIX', 
                              'UNDER INVESTIGATION') 
                  )";   
    
} elsif ($status eq 'Closed') {#Perform search for CLOSED reports:
    
$sql .= " AND (FIX_STATUS IN ('FIXED',
                              'NO ACTION REQUIRED',
                              'FOR INFORMATION', 
                              'UNRESOLVED')
              )";
    
} else { die "Value of \'$status\' unknown." }
  
$sql .= " ORDER BY FAULT_NO DESC ";
  
$sth = $dbh->prepare($sql);
$sth->execute( @values );
[download]

[reply]
[d/l]