I highly reccomend using the DBI's ? substitution operator unless you know that $xvar, $yvar or $zvar don't contain any meta characters. But you should use them anyway, since that's what they're made for ;)
A short explanation:
When sending a query to the DBI, you can use the ? character and the arguments to C<exec()> to have the contents being substituted be checked for what may otherwise be considered metacharacters (characters that mean something other than themselves, eg ' (begin/end string), % (mysql's glob character), & (the conjunction character), etc.).
Here's an example:
my $query = "SELECT * FROM lala WHERE moomoo = ?";
my $sth = $dbh->prepare($query);
# at this point, the query string is parsed, and discovers
# that there is one substituion. The DBI will require one
# argument to the C<exec()> function and complain if it
# doesn't see one.
foreach my $moomoo_val ( @vals ){
# Note that the query is now cached, and can be
# re-C<execute()>'d as many times as you wish.
$sth->execute($moomoo_val);
while(my $row = $sth->fetchrow_hashref){
print( join("\t", vals %$row), "\n" );
}
}
(this code not tested, and yes, I know the same thing could be acheived with less code.) |