Re: Check for null results

Use placeholders to avoid SQL injection attacks, and don't interpolate DBI::errstr in double quotes:

$sth = $dbh -> prepare (qq~select One, Two, Three, Four, Five from Fan
+Ratings where Title = ?~) or die $DBI::errstr;
$sth -> execute ($filename);
[download]

But there's something missing? How do you retrieve the data? Look for the fetchrow_* mehods in DBI.

--shmem

_($_=" "x(1<<5)."?\n".q·/)Oo.  G°\        /
                              /\_¯/(q    /
----------------------------  \__(m.====·.(_("always off the crowd"))."·
");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}

Comment on Re: Check for null results Download Code

Replies are listed 'Best First'.
Re^2: Check for null results by Eagle_f90 (Acolyte) on Jun 27, 2007 at 17:18 UTC
Thanks for the help, I will look up DBI and check out the fetchrow commands. As for the place holders I am not sure what your saying. is the "?" the placeholder command and when I pass a file name via execute it replaces "?" with "$filename"? Also how does passing the variable via execute and not prepare stop an injection attack?	[reply]
Re^3: Check for null results by shmem (Chancellor) on Jun 27, 2007 at 20:37 UTC
Yes, ? is the placeholder character; see the section Placeholders and Bind Values in the DBI documentation. `$sth->execute($var)` replaces the first placeholder with the contents of `$var`, taking care of proper escaping, and thus preventing SQL injection. Consider `$filename = "random.jpg'; drop table FanRatings; select 2 * 5,'"; $sth = $dbh -> prepare ( qq~select One, Two, Three from FanRatings where Title = '$filename +'~ ) or die $DBI::errstr; $sth->execute;` [download] Oops, table FanRatings gone, and 10 and the empty string returned... Whereas with placeholders, the embedded quotings in $filename will be escaped as the current database driver requires. --shmem _($_=" "x(1<<5)."?\n".q·/)Oo. G°\ / /\_¯/(q / ---------------------------- \__(m.====·.(_("always off the crowd"))."· ");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}	[reply] [d/l] [select]
Re^3: Check for null results by Eagle_f90 (Acolyte) on Jun 27, 2007 at 21:42 UTC
Thanks for all the help.	[reply]