Re: can't use global @

$sql = "declare \@usrid int, \@sysusrid int " .
       "select \@sysusrid = suser_id\(\'$usrname\'\) " .
       "select \@usrid = $IDVALUE from $ID " .
       "where $IDNAME = \'USR_ID\' " .
       "insert into APPUSR (APP_CD, USR_ID, USRNAME, USRFNAME, USRLNAM
+E, FNCGRP_CD, SYSUSR_ID) " .
       "values (\'A\', \@usrid, \'$usrname\', \'$first\', \'$full_last
+\', $fncgrp, \@sysusrid)";
[download]

Please don't! This code is hard to read and dangerous!

First, this is Perl, not Visual Basic or some other language with restricted string literals. You can write this much more readably. And actually even if you kept using doublequotes you do not need to escape singlequotes. "d\'Artagnan" is equivalent to "d'Artagnan". You could write the code like this:

$sql = qq{
  declare \@usrid int, \@sysusrid int
  select \@sysusrid = suser_id('$usrname')
  select \@usrid = $IDVALUE from $ID
  where $IDNAME = 'USR_ID'

  insert into APPUSR (APP_CD, USR_ID, USRNAME, USRFNAME, USRLNAME, FNC
+GRP_CD, SYSUSR_ID)
  values ('A', \@usrid, '$usrname', '$first', '$full_last', $fncgrp, \
+@sysusrid)
};
[download]

Easier on the eyes, isn't it?

In either case it's dangerous! Guess what happens if someone claims his username is "d'Artagnan"? Or maybe "') delete from APPUSR; select length('gotcha" ?

USE placeholders!

my $sth = $$dbhCurrent->prepare( qq{
  declare \@usrid int, \@sysusrid int
  select \@sysusrid = suser_id(?)
  select \@usrid = $IDVALUE from $ID
  where $IDNAME = 'USR_ID'

  insert into APPUSR (APP_CD, USR_ID, USRNAME, USRFNAME, USRLNAME, FNC
+GRP_CD, SYSUSR_ID) " .
  values ('A', \@usrid, ?, ?, ?, ?, \@sysusrid)
};
$sth->execute( $usrname, $usrname, $first, $full_last, $fncgrp);
[download]

Your use of $IDVALUE and $ID looks suspicious too, but those two cannot be replaced by placeholders. I do hope they are comming from someplace safe!

Jenda
Support Denmark!
Defend the free world!

Comment on Re: can't use global @_in "my" Select or Download Code

Replies are listed 'Best First'.

Re^2: can't use global @_in "my"
by diotalevi (Canon) on Aug 01, 2007 at 07:17 UTC

Something to note - Chris is using Sybase where placeholders are aleged to come at a significant memory cost. You're frequently better off using $dbh->quote() and interpolating the escaped values.

⠤⠤ ⠙⠊⠕⠞⠁⠇⠑⠧⠊

[reply]

Re^3: can't use global @_in "my"

by Jenda (Abbot) on Aug 01, 2007 at 07:45 UTC

That's strange. under normal circumstances placeholders are much more efficient, especially if you reuse the statement handle returned by $dbh->prepare() and run the query many times. Do you have any links to this problem?

In case you need to use $dbh->quote() it's possible to use Interpolation to make the syntax nicer:

use Interpolation "'" => sub {"'".$dbh->quote($_[0])};
#...
$sql = qq{
  declare \@usrid int, \@sysusrid int
  select \@sysusrid = suser_id($'{$usrname}')
  select \@usrid = $IDVALUE from $ID
  where $IDNAME = 'USR_ID'

  insert into APPUSR (APP_CD, USR_ID, USRNAME, 
   USRFNAME, USRLNAME, FNCGRP_CD, SYSUSR_ID)
  values ('A', \@usrid, $'{$usrname}', 
   $'{$first}', $'{$full_last}', $fncgrp, \@sysusrid)
};
[download]

Jenda
Support Denmark!
Defend the free world!

[reply]
[d/l]

Re^4: can't use global @_in "my"

by diotalevi (Canon) on Aug 01, 2007 at 14:10 UTC

The DBD::Sybase docs:

DBD::Sybase supports the use of ? placeholders in SQL statements as long as the underlying library and database engine supports it. It does this by using what Sybase calls Dynamic SQL. ... When you use ? placeholders Sybase goes and creates a temporary stored procedure that corresponds to your SQL statement. You then pass variables to $sth->execute or $dbh->do, which get inserted in the query, and any rows are returned.
OpenClient creates stored procedures in tempdb for each prepare() call that includes ? placeholders. Creating these objects requires updating system tables in the tempdb database, and can therefore create a performance hotspot if a lot of prepare() statements from multiple clients are executed simultaneously. This problem has been corrected for Sybase 11.9.x and later servers, as they create "lightweight" temporary stored procs which are held in the server memory cache and don't affect the system tables at all.
...
In general however I find that if your application is going to run against Sybase it is better to write ad-hoc stored procedures rather than use the ? placeholders in embedded SQL.
Out of curiosity I did some simple timings to see what the overhead of doing a prepare with ? placehoders is vs. a straight SQL prepare and vs. a stored procedure prepare. Against an 11.0.3.3 server (linux) the placeholder prepare is significantly slower, and you need to do ~30 execute() calls on the prepared statement to make up for the overhead. Against a 12.0 server (solaris) however the situation was very different, with placeholder prepare() calls slightly faster than straight SQL prepare(). This is something that I really don't understand, but the numbers were pretty clear.
In all cases stored proc prepare() calls were clearly faster, and consistently so.

Ok, so that's a hefty quote from the online docs. Go read them yourself.

⠤⠤ ⠙⠊⠕⠞⠁⠇⠑⠧⠊

[reply]

Re^5: can't use global @_in "my"

by mpeppler (Vicar) on Aug 02, 2007 at 18:39 UTC

Re^2: can't use global @_in "my"
by mpeppler (Vicar) on Aug 02, 2007 at 18:48 UTC

It's probably possible to recode this to avoid multiple statements, however, and thus allow placeholders to be used.

Michael

[reply]


Keep It Simple, Stupid
	PerlMonks

Re: can't use global @_in "my"