in reply to Reliability of quoting via DBI placeholders

Based on a quick perusal of the DBI source, for the function named 'quote', there's a check for a data type. It won't quote any of the following (at least in my version): 
DBI::SQL_INTEGER
DBI::SQL_SMALLINT
DBI::SQL_DECIMAL
DBI::SQL_FLOAT
DBI::SQL_REAL
DBI::SQL_DOUBLE
DBI::SQL_NUMERIC

[download]
For all other items (for which a type is provided), it looks up the type to see if it needs quoting. If so, it slaps a single quote around it. Any single quotes (or whatever the appropriate literal prefix for that data type) found in the string are doubled.

That's also done if there's no type provided.

I've always found this to be more valuable because it helps avoid some malicious statements -- a user will have more trouble trying to drop one of my tables if his '; DROP TABLE users;' statement is quoted and treated as a literal string.

Replies are listed 'Best First'.
RE: Re: Reliability of quoting via DBI placeholders
by princepawn (Parson) on Aug 21, 2000 at 22:09 UTC
    But the DBI book hedges on this topic... it actually says that it uses a heuristic to determine quotability when using placeholders, which is why I did the following instead: 
     # As ubiquitous as hashes are in Perl, the DBI API does not
 # offer a way to commit hashes to disk.
 # @::order_data consists of the field names of my database
 # in order
 sub fiddle_with_my_data_to_get_it_to_work_with_the_DBI_API {

   my @output_data;
   for (@::order_data) {
     push @output_data, $dbh->quote
       (
        defined($::uregister->{$_}) 
        ? $::uregister->{$_} 
        : $::profile{$_}
       );
   }

   $::INSERT_TERM=join ',', @output_data;
 }

    [download]

    princepawn, but tye calls me "PrincePawn"

[reply]
[d/l]

In Section Seekers of Perl Wisdom