Re: Accept array from Form and put in DB

Note that you should be extremely careful when accepting user data like this; always use Taint mode and launder user input very carefully. See the discussion in Ch 23 of Camel 3rd Ed. 'Detecting and Laundering Tainted Data'.

Secondly, whenever you need to process SQL in a loop like this, consider using the prepare/execute idiom:

my $sth = $dbh->prepare(<<SQL)
INSERT INTO needed_details (quantity,item_number)
VALUES (?,?)
SQL
# Error-check here.

foreach my $quantity (@quantity) {
    $sth->execute($quantity,$item_number);
    # Error check here.
}
[download]

At the very least, this will save you the need to explicitly quote your data; if you envisage inserting many rows in a given program execute, this will save you the cost of the DBMS re-compiling the query on every pass (for those DBMSs that support query preparing).

Comment on Re: Accept array from Form and put in DB Download Code

Replies are listed 'Best First'.
Re: Re: Accept array from Form and put in DB by peppiv (Curate) on Dec 09, 2002 at 16:05 UTC
Sorry, meant to point out that I'm using FreeTDS connecting Linux/Apache to Win2K/SQL Server 7. Placeholders don't work in this configuration (yet). I try not to clutter the page and make the post as brief as possible. But yes, I do use Taint and every other security measure I can think of. I also use strict and I declared the variable. Thanks for the help.	[reply]