[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Simon Avery wrote:
> It's still interpolated. The single quotes are just characters when
> enclosed in outer double-quotes.
>
> my $dbh = DBI->connect ($dsn, $dbusername, $dbpassword)
> my $sth = $dbh->prepare("SELECT * FROM table WHERE person_id =
> '$variable'");
> $sth->execute();
> my @row = $sth->fetchrow_array;
> $sth->finish();
> $dbh->disconnect();
>
> If building complicated queries, I find it easier to do a string first,
> but that's just me.
>
> my $sql = "SELECT * FROM table WHERE person_id = '$variable'";
> my $sth = $dbh->prepare($sql);
Let's hope $variable doesn't become something like ...
sponge'; drop database blah;
... shall we :)
Passing variables through the execute process is very very safe. It
quotes, escapes and is rather splendid all round.
Steve
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html