in reply to Re^2: RFC: DBIx::Library
in thread RFC: DBIx::Library

I'm not sure you understand how important it is to use either placeholders or the DBI quote() method. If you don't do this, you are wide open to SQL-injection attacks.

Replies are listed 'Best First'.
Re^4: RFC: DBIx::Library
by eric256 (Parson) on Oct 13, 2004 at 19:45 UTC

    You don't understand how the replacements are meant to be used. The $$ replacements are not ?. I know that. They are for cases where you want a general piece of SQL that will always be the same, a big set of joins or a complex where, but other parts like limit or the feilds might change. In those cases ? would do you no good. Here on the other hand you can now use the $$ to substitute in actual SQL. $$ would always be done by the actual code, unlike ? that would normaly be user supplied (and untainted) data.

    On review I see how maybe that distinction is not clear from the POD. /me wanders off to find a home for it in the POD. Thanks for the feedback.

    ___________
    Eric Hodges
[reply]
      That makes sense. I'd suggest putting some placeholder examples in your SYNOPSIS to make it clear.
[reply]

In Section Meditations