ALWAYS use parameters EVERYWHERE

and the proper way to quote an identifier e.g., a column name is quote_identifier.

When can't you? It's perfectly possible to dynamically generate parameterized queries, even.

For constants? Why? Why would you want to force both the server and the client to do more work?

You should definitely use placeholders for data coming from outside, but I don't see any reason to use them for literal constants.

Why?
• Orthogonality
• To avoid mistakes
• Easier to read
• Looks nicer
• ...

:-)

CountZero

A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

Well, beauty is in the eye of the beer holder, but ... easier to read? How is

$dbh2->do("INSERT INTO PerlTest (Postcode,street_column,streetCount) V
+ALUES (?,?,?)", undef, '', $mystreet, 0);
[download]

easier to read than

$dbh2->do("INSERT INTO PerlTest (Postcode,street_column,streetCount) V
+ALUES ('',?,0)", undef, $mystreet);
[download]

? Not speaking about

my $sth = $dbh2->prepare("INSERT INTO PerlTest (Postcode,street_column
+,streetCount) VALUES (?,?,?)");
...
$sth->execute('', $mystreet, 0);
[download]

versus

my $sth = $dbh2->prepare("INSERT INTO PerlTest (Postcode,street_column
+,streetCount) VALUES ('',?,0)");
...
$sth->execute($mystreet);
[download]

Plus it makes the errors more likely, not less. IMnsHO.

Jenda
Enoch was right!
Enjoy the last years of Rome.

Thanks everyone for your input. This works like a charm - thanks a lot.

$mystreet=$_;
$dbh2->do("INSERT INTO PerlTest (Postcode,Street,streetCount) VALUES (
+?,?,?)", undef, '', $mystreet, 0);
[download]


Not sure what "undef" does though. I also dont understand why putting it into a variable makes it work as it seems to need quotes around it so it doesnt split it into two words, as in the "high" and "street" example. Street is a just a varchar for info and it was on sql server for anybody else coming to this topic.

CREATE TABLE [dbo].[PerlTest](
    [Postcode] [varchar](50) NULL,
    [Street] [varchar](50) NULL,
    [streetCount] [int] NULL
) ON [PRIMARY]
[download]

Not sure what "undef" does though.

The undef in your do call is for attributes to pass to the do method (I've never seen anyone use those but I guess it may apply if you want an attribute passed to the prepare method) - see DBI.

I also dont understand why putting it into a variable makes it work...

The difference between what you were doing (which did not work) and what you are doing is you were passing you insert data in the SQL string before and now you are passing it as a parameter:

before "insert into mytable (x) values($street)" results in insert into mytable(x) values(high street)" which will not parse correctly because of the unquoted "high street".

now you are using insert into mytable(x) values(?)" which does parse correctly and the DBD passes the $street variable as a bound parameter which does not need quoting (as it is not in the SQL string) and the driver takes all of the string as the replacement parameter.