Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Re: Placeholders in SQL query

by erix (Prior)
on Oct 10, 2014 at 15:17 UTC ( [id://1103430]=note: print w/replies, xml ) Need Help??


in reply to Place holders in SQL query

Unless you have unsafe values in that database (for 'state') I don't see why you'd need placeholders here.

The idea of placeholders for security is for when the values that are passed to the SQL are untrusted. When you just got them from your own database there is no risk, as far as I can see (provided, of course, that there is no rubbish in the data-providing table(s)).

Don't forget placeholder-usage comes with a price. It's becomes harder for the planner to pick a good execution plan (as it has less precise/constant information/statistics about what it is that the query has to do).

Replies are listed 'Best First'.
Re^2: Place holders in SQL query
by hippo (Bishop) on Oct 10, 2014 at 16:09 UTC
    Don't forget placeholder-usage comes with a price. It's becomes harder for the planner to pick a good execution plan

    Don't forget non-placeholder-usage comes with a price. It is much less efficient to prepare and execute 1,000,000 separate queries than it is to prepare a query once and then execute 1,000,000 times with different bound arguments.

[reply]
Re^2: Place holders in SQL query
by Anonymous Monk on Oct 10, 2014 at 15:31 UTC
    I don't see why you'd need placeholders here.

    Someday someone will (accidentally?) stuff an untrusted value into the variable that's being interpolated. Or a bad value will somehow get into the database.

    Don't forget placeholder-usage comes with a price.

    Optimizations should be reserved for later, when benchmarking shows the problem is in the query.

    Placeholders are a good idea.

[reply]
Re^2: Place holders in SQL query
by Anonymous Monk on Oct 10, 2014 at 15:28 UTC
    In my particular situation its not a case of "untrusted" data, but I have to escape the data been passed. I know if I do this (noticed the single quotes): 
    my $statedata = join ' OR ', map { "state = ‘$_->{ state}’" } @$cityda
+ta;

    [download]
    The single quotes need to be there in order to work and by using place holders I would not have to do that.
[reply]
[d/l]
Re^2: Place holders in SQL query
by Anonymous Monk on Oct 11, 2014 at 03:21 UTC

    The idea of placeholders for security is for when the values that are passed to the SQL are untrusted.

    If the programmer did not type the data into the program sourcecode, then it is external to the program, then it is not safe to use without placeholders

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://1103430]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others lurking in the Monastery: (4)
As of 2024-04-20 07:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found