[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Simon Avery wrote: > It's still interpolated. The single quotes are just characters when > enclosed in outer double-quotes. > > my $dbh = DBI->connect ($dsn, $dbusername, $dbpassword) > my $sth = $dbh->prepare("SELECT * FROM table WHERE person_id = > '$variable'"); > $sth->execute(); > my @row = $sth->fetchrow_array; > $sth->finish(); > $dbh->disconnect(); > > If building complicated queries, I find it easier to do a string first, > but that's just me. > > my $sql = "SELECT * FROM table WHERE person_id = '$variable'"; > my $sth = $dbh->prepare($sql); Let's hope $variable doesn't become something like ... sponge'; drop database blah; ... shall we :) Passing variables through the execute process is very very safe. It quotes, escapes and is rather splendid all round. Steve -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html