Using placeholders is the standard practice.
Escaping quotes (and, hopefully, other meta-characters) was standard practice for languages, database engines, and database interface layers which weren't capable of supporting placeholders... but such languages, engines, and layers are now relics of a bygone time and have mostly fallen out of use.
More to the point, neither Perl, nor MySQL/MariaDB, nor DBI have that defect. You are using a set of technologies which are sufficiently modern to provide end-to-end support for placeholders, thus, using them is the standard practice (and universally-acknowledged Best Practice) for those technologies.
So, why are placeholders the preferred practice?
Because, when using placeholders, the structure of the query (with placeholders to later insert data values) is presented to the database engine separately from the data values themselves. This makes it absolutely impossible (barring serious bugs in the database engine) for data to be misinterpreted as an SQL instruction. In cases where similar queries are re-used multiple times, it can also provide some performance benefits by allowing you to only do the structural parsing once and then running it with different data values, but this is a secondary benefit, not the primary purpose for using placeholders. Thus, "I'm only going to run this query once" is not a sensible reason to forego their use.
When done properly, escaping can provide a good level of protection from SQL-based attacks or SQL parsing errors resulting from strange data values. But doing escaping properly is hard and it can be time-consuming as well.
Using placeholders, in contrast, provides absolute protection and is dead easy. The only way to use them incorrectly is to not use them.
In reply to Re^7: Best practices for closing database connections?
by dsheroh
in thread Best practices for closing database connections?
by Polyglot
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |