It's true that I do have a degree of control over things here in that all of the software code is written by my hand and my hand only - and that the input comes almost entirely from form-input by users.
Part of my intention here, however, was to decide whether I would have to force myself to always send quoted or non-quoted variables to my functions and stick with that practice, or if I could very easily write my functions so that they could say "oh, this is already quoted so I'll use it as-is" and "this one isn't quoted, so I'll quote() first before applying it into the SQL query".
Also, doing some quote testing would probably suck as I allow HTML in the input (it's an auction site).
Since I was finally able to refine my abstraction layer to something very simple when it comes to the INSERT and UPDATES, I've decided to stick with the practice of _NEVER_ quote()'ing anything. I'll just pass everything to my Auction::DB class and let it do the work (I know, I should have done this in the first place, but I was looking for a solution outside of putting it in my DB class since I wasn't quite ready to roll it out yet).
Here is the solution I have used:
I have an sqlInsert() method in my Auction::DB class:
sub sqlInsert {
my($self, $table, $data) = @_;
my $names = join(", ", map { /^[_|-](.*)/; } keys %{$data});
my $pholders = join(', ', ('?') x keys %{$data});
$self->_sqlExecute("INSERT INTO $table ($names) VALUES($pholders)",
+values %{$data});
}
sub _sqlExecute {
my ($self, $sql, @values) = @_;
$self->_sqlConnect();
my $retval;
eval {
my $sth = $self->{_dbh}->prepare($sql);
$retval = $sth->execute(@values);
};
if ($@) {croak ($@ . "\nSQL: $sql\n" . Dumper(\@_));}
return $retval;
}
Then I call it like this (by the way, I use PostgreSQL but this should work with most DBs):
sub createNewAccount {
my ($self, $fields) = @_;
# Verify required fields.
$self->_validateUsername($fields->{_USERNAME});
$self->_validateEmailAddress($fields->{_EMAIL_ADDRESS});
# Populate other required fields.
$fields->{_PASSWORD} = $self->_makePassword();
$fields->{_CREATION_DATE} = 'now()';
}
$self->sqlInsert('user_accounts',$fields);
$self->sqlCommit;
}
Now, I never need to concern myself with quoting again. And yes, I know I should have just done this in the first place, but I was looking to tidy up my existing code separately from my transition to a mod_perl/OO based re-write of the site (which I am actually in the process of doing right now).
I also understand that Perl is a horrible first language and it's a really bad idea to make Perl your first introduction to object oriented coding. However, I started my software in Perl five years ago, that's what it's in now, it's what I know the best (so far) and it's more important to maintain/improve the software and the site as it is now than to rewrite a 16,000+ line program in an entirely different (and new to me) language.
Fortunately, I've had Perlmonks to refer to as a lot of the pitfalls and questions I've encountered during this transition to OO have already been asked by others. :)
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.