in reply to Inserting Apostrophes into SQL

I also read about the danger of inserting literal values in SQL but these files come from a well known distributor so there is little to no concern of anything malicious and I would

As you've clearly demonstrated, malicious intent is not required to break improper creation of SQL string literals. You say it's of little concern, yet it's preventing your code from working.

prefer to make the least amount of changes to this script as possible at the moment.

How can it get any simpler than moving a variable to the next line and adding a question mark? 

$dbh->do(
   'INSERT INTO Foo (
              bar,
              baz
           ) VALUES (
              ?, ?
           )
   ',
   undef,
   $bar, $baz
);

[download]

Replies are listed 'Best First'.
Re^2: Inserting Apostrophes into SQL
by aheusdens (Initiate) on Nov 16, 2011 at 20:39 UTC

    How can it get any simpler than moving a variable to the next line and adding a question mark?

    Is this your way of saying that I can in fact use a placeholder for that specific value and it will solve my problem? I just read about undef today and wasn't sure if it fit my situation or not.

    At some point I will have to go through all the code and see about making some more corrections to improve the overall performance/security but I just need this part working asap.

    Thanks for the input.

[reply]

      Is this your way of saying that I can in fact use a placeholder for that specific value and it will solve my problem?

      Yes. I thought you knew that.

      I just read about undef today and wasn't sure if it fit my situation or not.

      It sounds like you didn't read the docs for do.

      The list of values to be bound starts at the third parameter. If one wants to pass values to be bound, one needs to specifies a value for do's second parameter. The undef is the default value for that parameter.

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom