Re: single error with a dbh prepare

As davorg points out, your immediate problem is that your quoting is screwed up.

However, there are couple of other things I'll point out - which you can either take on board, or ignore completely ;)

Update: As has been pointed out below, placeholders are not appropriate for column names (which don't need to be quoted anyway). Have updated my example accordingly.

It's best to try and avoid "SELECT *", and instead explicitly select the columns that you need. You never know when somebody might come along and add a few colums without you knowing.
Use placeholders!! Especially in CGI scripts, which this one obviously is. Instead of the code you have above, write something like:
```
my $name = param('name');
my $sth = $dbh->prepare("SELECT foo, bar FROM $pictures_table WHERE st
+ats = ? AND poster_name = ?");
$dbh->execute(2, $name);
[download]
```
The above is not only much more robust and secure, it also removes the need to worry about quoting stuff - as this is automagically taken care of by the DBI.

Cheers,
Darren :)

Comment on Re: single error with a dbh prepare Download Code

Replies are listed 'Best First'.
Re^2: single error with a dbh prepare by davorg (Chancellor) on May 17, 2006 at 15:38 UTC
Some DBD modules (and I'm frantically hand-waving here as I can't remember where I've seen it) are very picky about which sections of the SQL statement can include placeholders. Many of them only allow it in the WHERE clause, so using in the FROM clause like that is likely not to work on some databases. -- <http://dave.org.uk> "The first rule of Perl club is you do not talk about Perl club." -- Chip Salzenberg	[reply]
Re^2: single error with a dbh prepare by kwaping (Priest) on May 17, 2006 at 17:10 UTC
I agree with davorg in that I'd strongly recommend against using a placeholder in the FROM clause. The reason? The replacement string gets quoted, so you'll end up with "`select col1, col2 from 'schema.table'` ...". I don't know about all databases, but that syntax doesn't work in MySQL or Oracle. --- It's all fine and dandy until someone has to look at the code.	[reply] [d/l]
Re^2: single error with a dbh prepare by Errto (Vicar) on May 17, 2006 at 21:44 UTC
In my experience the issue with placeholders is not so much which clause you put them in. For example, many databases allow you to put subqueries in the from clause, assign aliases to them, and treat them as views. Within such subqueries a placeholder would be perfectly legal. The issue is that you can't use a placeholder to substitute for a table name, column name, function name etc. Placeholders can only substitute for values such as numbers and strings.	[reply]