Re^2: Check for null results

Thanks for the help, I will look up DBI and check out the fetchrow commands. As for the place holders I am not sure what your saying. is the "?" the placeholder command and when I pass a file name via execute it replaces "?" with "$filename"? Also how does passing the variable via execute and not prepare stop an injection attack?

Comment on Re^2: Check for null results

Replies are listed 'Best First'.
Re^3: Check for null results by shmem (Chancellor) on Jun 27, 2007 at 20:37 UTC
Yes, ? is the placeholder character; see the section Placeholders and Bind Values in the DBI documentation. `$sth->execute($var)` replaces the first placeholder with the contents of `$var`, taking care of proper escaping, and thus preventing SQL injection. Consider `$filename = "random.jpg'; drop table FanRatings; select 2 * 5,'"; $sth = $dbh -> prepare ( qq~select One, Two, Three from FanRatings where Title = '$filename +'~ ) or die $DBI::errstr; $sth->execute;` [download] Oops, table FanRatings gone, and 10 and the empty string returned... Whereas with placeholders, the embedded quotings in $filename will be escaped as the current database driver requires. --shmem _($_=" "x(1<<5)."?\n".q·/)Oo. G°\ / /\_¯/(q / ---------------------------- \__(m.====·.(_("always off the crowd"))."· ");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}	[reply] [d/l] [select]
Re^3: Check for null results by Eagle_f90 (Acolyte) on Jun 27, 2007 at 21:42 UTC
Thanks for all the help.	[reply]