anothersmurf:

Yeah, perldoc -f join is one of those *really convenient* functions. Before I learned it, I was always doing things like adding a trailing comma to everything, and then clipping off the last one. But I didn't notice that I was always doing things like that until I found the join function. Now I look back and think "Why didn't I notice that and write a join equivalent for <language X>? Ah, well, you can never notice *all* the assumptions you make...

As someone else has already remarked, placeholders can't be used *everywhere*, but they're still very convenient. When you can't use them, and need to build some dynamic SQL on the fly, be sure to check out $DB->quote($data) to ensure that the data is properly quoted. That'll go a long way in reducing the attack surface of your application.

...roboticus

When your only tool is a hammer, all problems look like your thumb.

my $request = "SELECT * FROM dbname WHERE unit = ? AND name1 REGEXP ? 
+AND email REGEXP ? ORDER BY unit"

my $dbh = DBI->connect("DBI:mysql:database=database;host=localhost", "
+user", "passwd",{'RaiseError' => 1});

my $sth = $dbh->prepare($request);

$sth->execute("001", "duckman", "google.com");

while (my $ref = $sth->fetchrow_hashref())
{
    # here is where the magic happens
    h3("this should be running but isn't");
    h3("Unit $ref->{'unit'}");
}
[download]

Hi anothersmurf,

A quick search of the MySQL documentation came up with http://dev.mysql.com/doc/refman/5.6/en/regexp.html. If you're using the REGEXP operator, you want your strings to look like regular expressions. Does something like

$sth->execute("001", ".*duckman.*", ".*google.com");
[download]

work in your code (untested and what have you)?

    h3("this should be running but isn't");
    h3("Unit $ref->{'unit'}");
[download]

Notice the lack of a print anywhere in that block.....

Also it was in the wrong place. Hours beating on this sillyness.

Yes I had quotes on the REGEXP, in my original version. I kept having to modify it to put it here because it looks nothing like this in the code (and the last version where I hard coded it I forgot to, but it wouldn't have worked anyway because of the problems above.)

Live and learn I guess. Sorry to waste everyone's time.

OK....

I didn't know they were called placeholders until I came to this site. When I google searched for "mysql select placeholders", I discovered this:

http://stackoverflow.com/questions/8054421/mysql-perl-placeholder-rules

Says: "With most drivers, placeholders can't be used for any element of a statement that would prevent the database server from validating the statement and creating a query execution plan for it."

So now I guess I need to sanitize the user input for the select statement so there is less risk of attack on that front and simply execute() with no arguments.

There is no problem using placeholders as arguments in the "WHERE" part of your SQL.

CountZero

A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

My blog: Imperial Deltronics