in reply to Re^12: CGI Action call
in thread CGI Action call

my $kind = $query->param('kind');
my $searchterm = $query->param('searchterm');
my $searchfield;
if ($kind == 0) {
  $searchfield = 'user_id';
} elsif ($kind == 1) {
  $searchfield = 'lastname';    
} elsif ($kind == 2) 
  $searchfield = 'business';    
}
my $stmt  = "
  SELECT * FROM users 
  WHERE $searchfield = ? 
  ORDER by $searchfield";  
my $sth = $dbh->prepare($stmt);
$sth->execute($searchterm);

[download]

In the above, the interpolated field $searchfield is not user supplied. The user supplied $searchterm uses a placeholder so no problem searching for the lastname O'Reilly.

poj

In Section Seekers of Perl Wisdom