in reply to Escaping characters

Sorry... here are some codes, but i think i've already gotten my answer through your helpful posts (thanks!)... 
sub exec_add_sql {
    
my $id= $in{'id'};
my $title = $in{'title'};
my $date = $in{'date'};
my $description = $in{'description'};
my $category = $in{'category'};

# connect to the database
my $dbh = DBI->connect("DBI:mysql:database:sql.server.com", user, pw);


#prepare the query
my $sth = $dbh->prepare("insert into postcards(id, title, date, descri
+ption, category)
values('$id', '$title', '$date', '$description', '$category')");

# execute the query
$sth->execute();

$sth->finish();    
$dbh->disconnect();

}

[download]
Do you think I should take out the 's from the values part? I will try it right now. Thanks for your help!

Replies are listed 'Best First'.
Re: Re: Escaping characters
by rdfield (Priest) on Dec 02, 2002 at 10:04 UTC
    Do you think I should take out the 's from the values part? I will try it right now. Thanks for your help!
    Nope. Repace the variables that are being interpolated in your prepare statement with question marks (these are the "placeholders" mentioned previously), and add the variable names as parameters to the execute statement. There are plenty of examples in the Tutorials section and the DBI documentation, but in your case the code should be as follows: 
    my $sth = $dbh->prepare("insert into postcards(id, title, date, descri
+ption, category) values (?,?,?,?,?)");
$sth->execute($id, $title, $date, $description, $category);

    [download]

    rdfield

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom