For placeholders, here's my take.
- Efficiency? I doubt that you'd ever spot a difference.
- Security? Yes, but it's not as simple as trivial SQL injection. In another message you wrote that "Quotes are escaped". I guess you are aware that different database engines allow different escaping mechanisms? That's why DBI offers the quote method to do the right thing for your particular database engine. You might, at some point in the future, fall in love with a different SQL engine. If you use placeholders, the engine's driver will use its correct quoting. Manually quoting every string with $dbh->quote works, too, but is cumbersome to review and more work if you add columns. Once you got into the habit of using placeholders, you and everyone reading your code can see that quoting has been taken care of.
- Because Perl culture says so? Well, every other programming language I've been using has the same recommendation: Use placeholders.
|Replies are listed 'Best First'.|
Re^8: Best practices for closing database connections?
by erix (Prior) on Jun 16, 2022 at 09:56 UTC