in reply to Re: drawbacks to 'eval' parameters/placeholders/binding in DBI calls to mysql database
in thread drawbacks to 'eval' parameters/placeholders/binding in DBI calls to mysql database

The solution is the appropriate use of quotemeta (aka \Q..\E) for eval and $dbh->quote_identifier for prepare.

The OP's code is needless complicated as JavaFan pointed out, so I'll apply the solution to his code: 

my %memberRecord = ...;

my @cols = keys   %memberRecord;
my @vals = values %memberRecord;

my $stmt = do {
    local $" = ", ";
    my @q_cols = map $dbh->quote_identifier($_), @cols;
    my @params = ('?') x @cols;
    "INSERT INTO $tableName (@q_cols) VALUES (@params)"
};

my $sth = $dbh->prepare($stmt);
$sth->execute(@vals);

[download]
  • Comment on Re^2: drawbacks to 'eval' parameters/placeholders/binding in DBI calls to mysql database
  • Select or Download Code

Replies are listed 'Best First'.
Re^3: drawbacks to 'eval' parameters/placeholders/binding in DBI calls to mysql database
by nextguru (Scribe) on Aug 20, 2009 at 22:43 UTC
    Thanks. A quick test confirms that at least a single quote in a column name is covered with the proposed fix. I will investigate more, but I think I'm on the right track now thanks to all.
[reply]

In Section Seekers of Perl Wisdom