in reply to MySQL question

What almut is talking about:

#instead of:
$sql = qq { insert into my_table (update_1) values ('$sometext') };
$sth = $dbh->prepare($sql);
$sth->execute();

#use placeholders:
$sql = qq { insert into my_table (update_1) values (?) };
$sth = $dbh->prepare($sql);
$sth->execute($sometext);

[download]

First, it will do all the escaping for you, second, will protect your script against injection attacks.

BTW, if you are going to do a lot of this, you should look at a framework like CGI::Application that does a lot of the heavy lifting for you.

—Brad
"The important work of moving the world forward does not wait to be done by perfect men." George Eliot

Replies are listed 'Best First'.
Re^2: MySQL question
by Dranzaz (Sexton) on Nov 28, 2008 at 14:34 UTC
    Thanks to all above. The shortened script works. Will now be updating the larger read and insert script and am crossing my fingers.
    I had read the documentation on placeholders but was not keen on their use.
    Thank you for the direct examples, they now make sense.
[reply]
      In addition to what everyone else has said, placeholders are also good for performance. Instead of preparing the same statement handle over and over again (when inserting multiple rows), it only needs to be done once. They also make the code a lot cleaner, making it more obvious which values are supplied and which are static.
[reply]

In Section Seekers of Perl Wisdom