in reply to security question, mysql, limit, dbi, and placeholders

Have you tested the search without the LIMIT? Because I suspect the error is elsewhere in your SQL. I don't know MySQL, but other databases I have seen want values in the list for the IN statement. Column names don't work. You might try rewriting it like this: 
SELECT * FROM products WHERE prod_name = ? OR prod_desc = ?

[download]
Also, PostgreSQL doesn't support placeholders for the number after the LIMIT. MySQL may have the same limitation. If you can't use placeholders, you will need to interpolate the value when you construct the SQL. This means you must be careful about validating the value to be a number.

Replies are listed 'Best First'.
Re: Re: security question, mysql, limit, dbi, and placeholders
by pfaut (Priest) on Apr 25, 2003 at 21:05 UTC
    Also, PostgreSQL doesn't support placeholders for the number after the LIMIT.

    Yes it does.

    #!/usr/bin/perl -w
use strict;
use DBI;
my $dbh = DBI->connect("dbi:Pg:dbname=pfau")
    or die "Unable to connect to db: $DBI::errstr";
$dbh->{RaiseError} = 1;
my $s = $dbh->prepare("select relname from pg_class limit ? offset ?")
+;
my $r = $s->execute(3,10);
while (my @row = $s->fetchrow_array) {
    print "Table: $row[0]\n";
}
$s->finish;
$dbh->disconnect;

    [download]

    Produces:

    Table: pg_attrdef
Table: pg_toast_17086_idx
Table: pg_trigger

    [download]
    90% of every Perl application is already written.
    dragonchild
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom