[PLUG] Perl DBI question
Alan
alan at clueserver.org
Tue Feb 15 07:25:34 UTC 2005
On Mon, 2005-02-14 at 17:05 -0800, AthlonRob wrote:
> On Sun, 2005-02-13 at 17:50 -0700, Matt Alexander wrote:
> > Any suggestions?
>
> Yes, build your query as a string and then execute it. :-)
>
> $sql = "SELECT * FROM table WHERE coll LIKE\'\%";
> $sql .= $value . "\%\'";
> $sth = $dbh->prepare($sql);
> $sth->execute();
>
> Just a matter of style, I think, but I prefer building SQL queries as
> strings before executing them rather than using the "?" stuff. IMHO, it
> is simpler and easier to deal with and debug.
And less safe.
If the user has access to what gets fed into $value he can do things
like.
$value = 'something useless%";DROP table';
--
Deceased, immature canines are lacking in recreational possibilities.
More information about the PLUG
mailing list