in reply to Re: RFC: DBIx::Library
in thread RFC: DBIx::Library

Thanks for the input.

I will add a pod section setting it apart.

The ugly quoting was a thing for me two, but I hadn't run into it yet in my production environment so it hasn't been added. I'm thinking that if you send an arrayref it quotes and commas it for you to simplify that.

The placehold scheme it uses is completly independent of the ? scheme. ? is for run time replacements, and this module does.. pre-run replacements? Usefull for actualy changing the sql itslef if you have two sql statments that are 90% the same now you can make all the common parts one entry and use a $$ place holder to insert the extra sql.

Off to do my homework on those other modules and add an explanation why make this when there is already a wheel.


___________
Eric Hodges

Replies are listed 'Best First'.
Re^3: RFC: DBIx::Library
by perrin (Chancellor) on Oct 13, 2004 at 18:48 UTC
    I'm not sure you understand how important it is to use either placeholders or the DBI quote() method. If you don't do this, you are wide open to SQL-injection attacks.
[reply]

      You don't understand how the replacements are meant to be used. The $$ replacements are not ?. I know that. They are for cases where you want a general piece of SQL that will always be the same, a big set of joins or a complex where, but other parts like limit or the feilds might change. In those cases ? would do you no good. Here on the other hand you can now use the $$ to substitute in actual SQL. $$ would always be done by the actual code, unlike ? that would normaly be user supplied (and untainted) data.

      On review I see how maybe that distinction is not clear from the POD. /me wanders off to find a home for it in the POD. Thanks for the feedback.

      ___________
      Eric Hodges
[reply]
        That makes sense. I'd suggest putting some placeholder examples in your SYNOPSIS to make it clear.
[reply]

In Section Meditations