Re: SQL String Escape Special Characters

JZed's response is correct -- use placeholders (best way) or you're required to obey SQL syntax and single quote the values. Just an additional tip, though -- a simple debugging statement like this:

my $uname = 'leander@whatever.com';
my $sql = 'SELECT uname, pwd FROM login WHERE uname=' . $uname;
warn $sql; # <====== would print:
           # SELECT uname, pwd FROM login WHERE uname=leander@whatever
+.com
           # which is illegal SQL
my $res = $dbh->selectall_arrayref($sql) || die $dbh->errstr;
[download]

would (could/should) of pointed the problem out as well.

Comment on Re: SQL String Escape Special Characters Download Code

Replies are listed 'Best First'.
Re^2: SQL String Escape Special Characters by Joost (Canon) on May 25, 2005 at 23:10 UTC
Never just single-quote variables; just use $dbh->quote() if you can't use placeholders. "What should it profit a man, if he should win a flame war, yet lose his cool?"	[reply]
Re^3: SQL String Escape Special Characters by jZed (Prior) on May 25, 2005 at 23:18 UTC
Good advice, but I think davidrw was just pointing out how the OP could see that the OP's method of concating the SQL string didn't even put in quotes at all.	[reply]