On 30 Oct 2007 at 14:11, Klaus Jantzen wrote:
> prady wrote:
> > hi all
> >
> > i am creating a perl script which takes the input from the file to
> > create tables, inserting values into the database. As you all know
> > the only procedure for taking input from a file (using perl script)
> > into MySQL database is through (?) place holders.
> >
> That is not correct.
Right.
> > for example ,
> >
> > $sth=$dbh->prepare
> > ("INSERT INTO checkin (firstname, lastname,
> > destination)
> > VALUES
> > (? , ? , ? )");
> > $rows=0;
> > open FILE, "passlist.txt" or die $!;
> > while (<FILE>) {
> > chomp;
> > ($firstname, $lastname, $destination) = split(/:/);
> > $sth->execute($firstname, $lastname, $destination)
> > || die "Couldn't insert record : $DBI::errstr";
> >
> Without the "prepare" you can write:
> my $sql = qq/ INSERT INTO checkin SET firstname="$firstname",
> lastname="$lastname", destination="$destination"/;
> my $rc = $dbh->do{$sql};
Sure you can. And I can delete your database then.
Let me see, what happens if I claim my destination is
See you"; DELETE FROM checkin; SELECT "gone
The fact that you can insert the data without the prepare() doesn't
mean you should try to do that. And if you insist, at least use $dbh-
>quote() to make sure the values are safe to insert into the query.
Jenda
===== [EMAIL PROTECTED] === http://Jenda.Krynicky.cz =====
When it comes to wine, women and song, wizards are allowed
to get drunk and croon as much as they like.
-- Terry Pratchett in Sourcery
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/
