Re^5: SQL Query error while executing in perl. Is it possible to execute these Scripts??

Wrong. Most SQL engines require single quotes for values, and double quotes for otherwise illegal identifiers.

The "Wrong" bit is debatable Alexander as I believe the node you replied to was attempting to comment on the inclusion of @something in the same SQL which included $tim. I read the node as you could use single quotes around the SQL string to avoid @something being interpreted by Perl as an array but since you also include $tim you need to use double-quotes (around the SQL) and escape the @something.

However, other than that I agree with most of your points and advice except to point out a slight snag with the quote_identifier. Most databases have some rather nasty rules about quoted and unquoted identifiers like some uppercase unquoted identifiers, some lowercase them and some keep the case. Once you use quoted_identifier in many databases you have to get the case exactly right. Some also require table/column names the same as reserved words to be quoted. All I'm really saying is it is not clear cut whether to use quote_identifier always.

Comment on Re^5: SQL Query error while executing in perl. Is it possible to execute these Scripts??

Replies are listed 'Best First'.
Re^6: SQL Query error while executing in perl. Is it possible to execute these Scripts?? by afoken (Chancellor) on Dec 08, 2010 at 12:58 UTC
The "Wrong" bit is debatable No, it's just wrong, regarding the quotes. I totally lost the thread context when replying to Re^3: SQL Query error while executing in perl. Is it possible to execute these Scripts??. All that I wanted to comment was the possible SQL injection ... `my $sql = "DECLARE \@log varchar(5) SET \@log=$tim Update dbo.tltime s +et logtime = \@log"; # ... here --^` [download] ... combined with the words "so , use double-quotes", this lead to ... `my $sql = "DECLARE \@log varchar(5) SET \@log=\"$tim\" Update dbo.tlti +me set logtime = \@log"; # ^^ ^^` [download] ... in my mind. Which is even worse than what was posted. This lead to my "Wrong." posting. Still, at least MySQL allows values in double quotes, unless ANSI QUOTES are enabled. Regarding problems with quoted identifiers, you are right. Quoting identifiers can cause more problems than it is worth. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^6: SQL Query error while executing in perl. Is it possible to execute these Scripts??
by afoken (Chancellor) on Dec 08, 2010 at 12:58 UTC

The "Wrong" bit is debatable

No, it's just wrong, regarding the quotes. I totally lost the thread context when replying to Re^3: SQL Query error while executing in perl. Is it possible to execute these Scripts??. All that I wanted to comment was the possible SQL injection ...

my $sql = "DECLARE \@log varchar(5) SET \@log=$tim Update dbo.tltime s
+et logtime = \@log";
#                                   ... here --^
[download]

... combined with the words "so , use double-quotes", this lead to ...

my $sql = "DECLARE \@log varchar(5) SET \@log=\"$tim\" Update dbo.tlti
+me set logtime = \@log";
#                                             ^^    ^^
[download]

... in my mind. Which is even worse than what was posted. This lead to my "Wrong." posting. Still, at least MySQL allows values in double quotes, unless ANSI QUOTES are enabled.

Regarding problems with quoted identifiers, you are right. Quoting identifiers can cause more problems than it is worth.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

[reply]
[d/l]
[select]