As adrianh has already noted, you can't say for sure if 'hello' is a quoted string or an unquoted one waiting for its quotes to be escaped.

A better regexp would be

    print "quoted" if $string =~ /^["'].*\1$/;
[download]

But then again, it won't solve the problem of checking for escaped quotes within the string.

Take 'O'Reilly', for example. It will pass the quoted test, but it will have a unescaped quote inside.

But then again, it won't solve the problem of checking for escaped quotes within the string.

To me this is the wrong time/place to worry about this. You deal with issues like that when you read your data in. My understanding is that the OP wanted to design an interface that could take quoted variables and do the right thing, or take unquoted variables and do the right thing. As long as the interface defines clearly what constitues a quoted variable, and what the rules it uses to recognize one, then it is the callers responsibility to handle the data appropriately.

Consider that perhaps on occasion the fact that the quote handling isn't perfect may be a useful workaround for a tight situation.

However the fact that this behaviour is open to abuse might make me add a safety mechanism to prevent it if I choose, and would certainly result in a note in the documentation stating that it is no more secure than the data it is fed.


---
demerphq

_{<Elian> And I do take a kind of perverse pleasure in having an OO assembly language...}

To me this is the wrong time/place to worry about this. You deal with issues like that when you read your data in

That's what I was originally doing, too. But because I still needed to use the data and manipulated it and return it to the user, it meant I needed to keep two copies of the data. One that was from the form/input and one that was the quoted version (which would be just as updated).

What I was aiming for was flexibility more than anything else. But I guess that the abstraction layer I've written for the DB stuff now should accomplish the flexibility since it handles matching the names, values and placeholders automatically and always runs prepare() on them itself.

Still better is:

print "quoted\n" if /^'([^'].*)'$/ and ($1 !~ /[^\\]'/);
[download]

That makes sure the string starts and ends with a quote (as the previous one does), and that there are no unescaped quotes in the string apart from the first and last.

This makes more assumptions about what your string looks like; it assumes you're using MySQL-style quoting---quote char is single-quote, escape char is backslash. I don't think there's a way around hardcoding your knowledge of your database's quoting into your script; the previous post.

And you still don't know for sure if 'hello' is a quoted string or an unquoted string containing quotes at the beginning and end; you need some kind of meta-information for that.

Seems like this could be a useful application of Text::Balanced...

I don't know if this helps, but anyway:

#!/usr/bin/perl -w
use strict;
use Text::Balanced qw( extract_quotelike );

for ( 
      'O\'Reilly, \'Tim\' "Timmy"',
      'q # an octothorpe: \# (not the end of the q!) #',
      "'SELECT name FROM DUAL;'",
      '  "You said, \"Use sed\"."  ',
    ) {
  my ($extracted, $remainder) = extract_quotelike;
  print "STRING: $_\n";
  print "  TOOK: $extracted\n";
  print "  LEFT: $remainder\n";
  print " ERROR: $@->{error}\n" if $@;
}
[download]

---
"A Jedi uses the Force for knowledge and defense, never for attack."