In your save_record sub you have:
my $query =
"update $Table set ? where ...";
my $sth = $dbh->prepare($query);
Two suggestions:
- If you are doing an update (instead of a query), you
don't really need to go through the prepare(),execute() sequence. You may find that:
$dbh->do("update $Table set...");
is easier to deal with.
- It looks like you are aware of the ? placeholder syntax, but you aren't using it everywhere. There are several
cases where you are putting "raw" variables into a select
or update clause. This can cause problems if the variable
content has a single quote, percent sign, etc. You'll either
have to use the $dbh->quote() method to escape chars (better), or the ? placeholder syntax (better still).