On Mon, 10 Mar 2003 08:18:31 -0600 Dan Muey <[EMAIL PROTECTED]> wrote:
> Since you know how your table is structured :
>
> $query ="INSERT INTO stuff VALUES(NULL,$num,\'$character\')";
>
> Or if you wanted to do it dynamically :
>
> $query = "INSERT INTO stuff VALUES(";
> if($data =~ m/^\d+$/) { $query .= "$data\, "; }
> else { $query .= "\'$data\'\, "; }
The original poster wanted to make sure the values were properly
quoted. If any "'" characters are in $character, the SQL you've given
will not parse correctly, if the user is lucky. If the user is
unlucky, it could contain malicious SQL.
DBI already includes a method for properly quoting values. Oddly
enough it is named quote(). Read the fine manual to learn about it.
That said, for DBDs that support them (including DBD::Oracle),
placeholders are far superior.
Again http://xmlproj.com/fom-serve/cache/49.html .
> > -----Original Message-----
> > From: Michael A Chase [mailto:[EMAIL PROTECTED]
> > Sent: Saturday, March 08, 2003 9:02 PM
> > To: [EMAIL PROTECTED]; Rob Benton
> > Subject: Re: need some advice
> > Placeholders. There are examples of using them in the fine
> > DBI and DBD::Oracle manuals and in DBD-Oracle-xxx/Oracle.ex/ .
> >
> http://xmlproj.com/fom-serve/cache/49.html
--
Mac :})
** I normally forward private questions to the appropriate mail list. **
Ask Smarter: http://www.catb.org/~esr/faqs/smart-questions.html
Give a hobbit a fish and he eats fish for a day.
Give a hobbit a ring and he eats fish for an age.
