bradcathey has asked for the wisdom of the Perl Monks concerning the following question:
Fellow Monastians,
I've always used placeholders, but was wondering about the safety, or not, of concatenating a query statement with column names. So, note the concatenation at the end of $stmt = below:
my $sort_by = ($sort eq 'date') ? 'date_of' : 'user_name'; my $stmt = 'SELECT * FROM time_sheet WHERE user_id = ? ORDER BY '.$sor +t_by; my $user_time = $dbh->selectall_arrayref($stmt, {Slice => {}}, $user_i +d);
vs. the long-hand method:
my $stmt; if ($sort eq 'date') { $stmt = 'SELECT * FROM time_sheet WHERE user_id = ? ORDER BY date_o +f'; } else { $stmt = 'SELECT * FROM time_sheet WHERE user_id = ? ORDER BY user_n +ame'; } my $user_time = $dbh->selectall_arrayref($stmt, {Slice => {}}, $user_i +d);
Obviously the first one is a bit more streamlined, but unsure of the safety of it. Thoughts?
—Brad
"The important work of moving the world forward does not wait to be done by perfect men." George Eliot
"The important work of moving the world forward does not wait to be done by perfect men." George Eliot
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Safety of concatenating query string
by roboticus (Chancellor) on Jun 23, 2011 at 17:10 UTC | |
by bradcathey (Prior) on Jun 24, 2011 at 19:16 UTC | |
Re: Safety of concatenating query string
by {}think (Sexton) on Jun 24, 2011 at 10:16 UTC | |
by Jenda (Abbot) on Jun 25, 2011 at 22:07 UTC | |
by {}think (Sexton) on Jun 27, 2011 at 15:36 UTC | |
Re: Safety of concatenating query string
by sundialsvc4 (Abbot) on Jun 28, 2011 at 13:25 UTC |
Back to
Seekers of Perl Wisdom