in reply to username and password verification from a table in Postgres

Well, let's at least properly escape the username using a placeholder: 
my $count = $dbh->selectrow_array('select count(*) from users where us
+erid = ?', undef, $username);
if ($count) {
  print "$username is valid\n";
}

[download]

-- Randal L. Schwartz, Perl hacker

  • Comment on •Re: username and password verification from a table in Postgres
  • Download Code

Replies are listed 'Best First'.
Re: •Re: username and password verification from a table in Postgres
by spq (Friar) on May 22, 2002 at 18:30 UTC

    Why do you use the placeholder, and then suply the value in the same statement? Granted, I didn't even know this was possible, so I appriciate haveing seen it.

    But why not just do?:

    my $count = $dbh->selectrow_array("select count(*) from
    users where userid = $username");

    Thanks,
    Sean
[reply]

      Consider the case where $username is "Joe Blow". Without quoting, the space would interpolate, rendering illegal SQL.

[reply]
[d/l]

      Hmmm, looking at your message and my reply side by side, I think I get your intent now. You use the placeholder to escape (I didn't apply your use of this word properly) the username, in the sense that you take advantage of the automatic quoteing of values substituted for placeholders, as a way to protect possibly invalid characters in the username?

      This jumped out at me when I looked at my own post and realized that it would be an invalid statement.

      For Anonymous Monk: Another way of doing this in advance is to use the DBI's quote method, like:

      my $quoted_username = $dbh->quote($username);

      Hmm, this reminds me I had thought to post a general question about a MySQL DBI driver patch I used to add an extra placeholder that does not get quoted, and so is useful for table names and such...

      Anywho, my apologies for the line noise.
      Sean<BR

[reply]

In Section Seekers of Perl Wisdom