in reply to Using variables within a mysql query

Try something like this:

my $table = 'book';
my $condition = '1';
my $sort_field = 'id';
my $sort_order = 'DESC";
my $sql = "SELECT id, name, location FROM $table WHERE $condition ORDE
+R BY $sort_field $sort_order";
print $sql,"\n";

my $sth = $dbh->prepare($sql);
$sth->execute() or warn "Unable to query $table" $dbh->errstr . "\n" .
+ $!;
while (my $row = $sth->fetchrow_hashref()) {
  print $row->{'id'},"\t",$row->{'name'},"\t",$row->{'location'},"\n";
+; 
}

[download]
Remember: single quotes give you a literal, double quotes interpolates included variables. Also, if this is untrusted user input you are manipulating (say the kind collected at a browser) you would be much safer to use bind variables, by replacing these two lines like so:

my $sql = "SELECT id, name, location FROM $table WHERE ? ORDER BY ? ?"
+;

   .   .   .   

$sth->execute($condition,$sort_field,$sort_order);

[download]
Note: I've never tried to feed a $sort_order as a bind variable and have no idea if that would work. But a few tests ought to let you know if it will. I do know that the rest of this should work, although I have not tested this code, leaving that to you.

-- Hugh

if( $lal && $lol ) { $life++; }

Replies are listed 'Best First'.
Re^2: Using variables within a mysql query
by psini (Deacon) on May 11, 2008 at 21:29 UTC

    I really doubt that this could work. From DBI's POD:

    "With most drivers, placeholders can't be used for any element of a statement that would prevent the database server from validating the statement and creating a query execution plan for it"

    And if it works, it should be a literal substitution, so probably can't be used to avoid sql injection

    I, in my code, use plain old sprintf to build the query when I need to change table or column names and bind only the scalar values

    Obviously everything is included with sprintf must be validated if coming from outside the script

[reply]
[d/l]

In Section Seekers of Perl Wisdom