[PLUG] Perl DBI question

Alan alan at clueserver.org
Tue Feb 15 07:25:34 UTC 2005


On Mon, 2005-02-14 at 17:05 -0800, AthlonRob wrote:
> On Sun, 2005-02-13 at 17:50 -0700, Matt Alexander wrote:
> > Any suggestions?
> 
> Yes, build your query as a string and then execute it.  :-)
> 
> $sql  = "SELECT * FROM table WHERE coll LIKE\'\%";
> $sql .= $value . "\%\'";
> $sth = $dbh->prepare($sql);
> $sth->execute();
> 
> Just a matter of style, I think, but I prefer building SQL queries as
> strings before executing them rather than using the "?" stuff.  IMHO, it
> is simpler and easier to deal with and debug.

And less safe.

If the user has access to what gets fed into $value he can do things
like.

$value = 'something useless%";DROP table';

-- 
Deceased, immature canines are lacking in recreational possibilities.




More information about the PLUG mailing list