Re: SQL Quoting

Are you using DBI? If so, you should use placeholders to specify what gets put into the DB. Before being added, all questionable characters, including single and double quotes, are appropriate escaped to avoid problems.

use DBI;
my $dbh = DBI->connect( ... );
my $sth = $dbh->prepare( "INSERT INTO table VALUES ( ?, ?, ? )" ) or d
+ie $DBI->errstr;
$sth->execute( $name, $address, $comment ) or die $DBI->errstr;
[download]

In the case above, the SQL that will be processed is:

INSERT INTO table VALUES ( $name, $address, $comment )
[download]

But with $name, $address, and $comment appropriate escaped to avoid problems with quoted characters.

-----------------------------------------------------
Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain
"I can see my house from here!"
It's not what you know, but knowing how to find it if you don't know that's important

Comment on Re: SQL Quoting Select or Download Code

Replies are listed 'Best First'.
Re: Re: SQL Quoting by Matts (Deacon) on Jan 28, 2002 at 22:24 UTC
And the biggest bonus of all: Most modern DB's will cache the statement handle for you so that you can use the same SQL again and again, and it won't have to go through the SQL parsing overhead (not that there's much overhead, but it's still a bonus). Plus you can use `$dbh->prepare_cached()` if the underlying database doesn't do that for you. In summary, always use placeholders. There's simply no reason not to.	[reply] [d/l]

Replies are listed 'Best First'.

Re: Re: SQL Quoting
by Matts (Deacon) on Jan 28, 2002 at 22:24 UTC

$dbh->prepare_cached()

In summary, always use placeholders. There's simply no reason not to.

[reply]
[d/l]