in reply to No apostrophe Insert into MySQL

You should use placeholders, as Aristotle said. But you should also be aware that the way to escape apostrophes in ANSI SQL is with another apostrophe. So you'd do 
$checked_feedback =~ s/'/''/g;

[download]
Caution: Contents may have been coded under pressure.

Replies are listed 'Best First'.
Re^2: No apostrophe Insert into MySQL
by Codon (Friar) on Oct 31, 2005 at 21:16 UTC
    DBI also supplies a quote() method which will quote a string appropriately for your DB. This may save you from massive code refactoring. 
    my $quoted = $dbh->quote("Wouldn't you rather use bind parameters?");

    [download]
    TMTOWTDI, although some are certainly better than others.

    Ivan Heffner
    Sr. Software Engineer, DAS Lead
    WhitePages.com, Inc.
[reply]
[d/l]
[select]
Re^2: No apostrophe Insert into MySQL
by Aristotle (Chancellor) on Oct 31, 2005 at 21:30 UTC

    But some databases accept backslashing as well. And others yet may have who-knows-what special rules. Unless you cover every possible base, an attacker will have a way in.

    Quoting your strings manually is an uphill battle, and one you may lose with your next system upgrade. So don’t even try. Use the quoting facilities supplied by the database (or the DBI driver) instead. They’re always complete – and if not, it’s because of someone else’s bug, with the maintenance cost being outside your codebase.

    Makeshifts last the longest.

[reply]

In Section Seekers of Perl Wisdom