Re^3: eval dilema

C does not have eval, so you must be thinking of some other programming language.

Passing user input unfiltered to your database is a very bad idea. I think it's better if you describe to us the problem you're trying to solve with this approach.

If you want to "convert a string to a list", let's assume that the string is a string of comma-separated items. Then split could be what you're looking for. Except that you won't be able to have any items that contain a comma as the value in your list. But maybe you should explain where you get the string from in the first place.

Comment on Re^3: eval dilema

Replies are listed 'Best First'.
Re^4: eval dilema by zdzieblo (Acolyte) on Jul 14, 2008 at 11:03 UTC
yes sorry, no eval in c, i was thinking of preprocessors expands i dont think using eval is that bad idea, all the vars are in the scope and what do you mean by 'unfiltered input'? think about it as of advanced search similar you can find on almost any website. select query you're constructing varies depending on the options user chose so as $sth->excute argument list	[reply]
Re^5: eval dilema by Corion (Patriarch) on Jul 14, 2008 at 11:10 UTC
If the user enters `system -rf /` into your program or `Robert'); DROP TABLE Students; --`, you will get problems, depending on how exactly you're accepting the user input. You most likely want to read up on DBI place holders. eval is the wrong tool for this. If you need to dynamically construct a query with varying expressions, you should still use DBI placeholders instead of trying to use eval or string interpolation or string concatenation.	[reply] [d/l]
Re^6: eval dilema by zdzieblo (Acolyte) on Jul 14, 2008 at 11:17 UTC
ok, dont you think that if you're evaluating argument list for $sth->excute() you must have already used place holders?	[reply]