in reply to Re^2: Cookie login (pseudocode)
in thread Cookie login (pseudocode)

Moritz, Please elaborate on the use of place holders for this purpose. I have a similar need, and I'm not sure what you are recommending here. Thanks, --Akoya.

Replies are listed 'Best First'.
Re^4: Cookie login (pseudocode)
by Spidy (Chaplain) on Feb 20, 2008 at 15:59 UTC
    Akoya, the DBI module will sanitize the parameters you pass in to placeholders in a prepared statement: 
    my $sth = $dbh->prepare("SELECT * FROM foo WHERE bar = ?");
$sth->execute("my 'scary variable here';");

    [download]
    Whereas if you just did it using $dbh->do(): 
    $dbh->do("SELECT * FROM foo WHERE bar = " . "my scary 'variable here';
+");

    [download]
    You would have a problem, because the ' and ; characters would not have been escaped - and would therefore do Bad Things™ to your database.
    website army
[reply]
[d/l]
[select]
Re^4: Cookie login (pseudocode)
by hpavc (Acolyte) on Feb 20, 2008 at 17:55 UTC 
    my $sth = $dbh->prepare("update thetable set that=? where this=?");
$sth->execute($that, $this)
    I believe he means that $this and $that are sql safe below. $this could easily be "1;delete from thetable" the engine would merely look for column data of that string, not append the information. Unlike something like ... 
    my $sth = $dbh->prepare("update thetable set that=$that where this=$this");
[reply]

In Section Seekers of Perl Wisdom