Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Re: Quote mark in string messing up mySQL INSERT

by htoug (Deacon)
on Dec 12, 2002 at 11:19 UTC ( [id://219282]=note: print w/replies, xml ) Need Help??


in reply to Quote mark in string messing up mySQL INSERT

Either placeholders or use the quote function in DBI.

I would recode your example thus (completely untested and with no warranty):

sub insertAttribute{
    my ($serverID, $featureID, $value) = @_;
    $_ = $dbh->quote($_) for qw($serverID, $featureID, $value);
    my $sqlINS = qq{ INSERT INTO attribute VALUES ($serverID, $feature
+ID, $value) };
    $dbh->do ($sqlINS);
}

[download]
Remember: $dbh->quote(expression) is your friend.

Replies are listed 'Best First'.
Re: Re: Quote mark in string messing up mySQL INSERT
by shoez (Sexton) on Dec 13, 2002 at 00:23 UTC
    Using $dbh->quote or placeholders will also prevent you from suffering SQL injection attacks... which could clear out your database if you're unlucky! tom
[reply]
      Is it safe to use apostrophes instead of quotes? In the past I have always done: 
      $dbh->do("insert into mytable values('$myStringWhichPossiblyContainsQu
+otes', '$another string', ...);

      [download]
      Rohit
[reply]
[d/l]
        Nope!!
        What if your variables contain apostrophes? Or other 'nasty' characters?

        Stick with either $dbh->quote($variable) or use placeholders.

[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://219282]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others browsing the Monastery: (5)
As of 2024-04-19 15:14 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found