Re^4: regexp question

Hello Ikegmai:

Greetings. I have reached the point I am at as follows: I translate text using HTML::Entities, then store it with the newly generated HTML names (e.g., #8220) in my RDBMS table; they will not 'insert' otherwise (I have observed that single and double quotes are especially disliked). Once translated by encode_entities(), MySQL behaves well, accepting the text for insertion.

Now I need to search on this text using 'select' and 'like' in the SQL.

Overnight I decided on an approach: encode all query criteria using a similar Java encode class, then search. What do you think? In this way one is always comparing apples with apples, or so it seems to me.

My special thanks being able to chat so-to-speak with you and Anonymous Monk on this subject.

Comment on Re^4: regexp question

Replies are listed 'Best First'.
Re^5: regexp question by Anonymous Monk on Jan 29, 2011 at 17:08 UTC
they will not 'insert' otherwise That can mean only one thing, you're not using placeholders. bobby-tables.com: A guide to preventing SQL injection	[reply]
Re^6: regexp question by Nodonomy (Novice) on Jan 29, 2011 at 18:01 UTC
Thank you. I'm checking this out. Already, with some pre-liminary checking, I see the point, which is bigger than just being able to do the insert itself.	[reply]
Re^5: regexp question by ikegami (Patriarch) on Jan 29, 2011 at 18:14 UTC
Yes, definitely use placeholders. There's some documentation on the DBI page, but it's really quite simple: `# BAD! $dbh->do(" INSERT INTO Table ( a, b, c, ) VALUES ( '$fields[0]', '$fields[1]', '$fields[2]' ) ");` [download] and `# BAD! my $sth = $dbh->prepare(" INSERT INTO Table ( a, b, c, ) VALUES ( '$fields[0]', '$fields[1]', '$fields[2]' ) "); $sth->execute();` [download] become `$dbh->do( (" INSERT INTO Table ( a, b, c, ) VALUES ( ?,?,? ) "), undef, @fields, );` [download] or `my $sth = $dbh->prepare(" INSERT INTO Table ( a, b, c, ) VALUES ( ?,?,? ) "); $sth->execute(@fields);` [download]	[reply] [d/l] [select]