note
dsheroh
Except, of course, that interpolating user-supplied input directly into your SQL statements is <a href='http://xkcd.com/327/'>bad ju-ju</a>. Much better would be:
<c>
my @where;
my @values;
my $sql = 'select * from table';
if defined $var1 { push @where, 'column1 = ?'; push @values, $var1; }
if defined $var2 { push @where, 'column2 = ?'; push @values, $var2; }
if defined $var3 { push @where, 'column3 = ?'; push @values, $var3; }
$sql = $sql . ' where ' . join(' and ', @where);
my $sth = $dbh->prepare_cached($sql);
$sth->execute(@values);
</c>
or
<c>
my @values = (undef, $var1, $var2, $var3);
my @where;
my $sql = 'select * from table';
my @defined_values;
foreach my idx (1..3) {
if defined $values[$idx] {
push @where, qq(column$dx = ?);
push @defined_values, $values[$idx];
}
}
$sql = $sql . ' where ' . join(' and ', @where);
my $sth = $dbh->prepare_cached($sql);
$sth->execute(@defined_values);
</c>
790061
790065