On Mon, 10 Mar 2003 08:18:31 -0600 Dan Muey <[EMAIL PROTECTED]> wrote:
> Since you know how your table is structured : > > $query ="INSERT INTO stuff VALUES(NULL,$num,\'$character\')"; > > Or if you wanted to do it dynamically : > > $query = "INSERT INTO stuff VALUES("; > if($data =~ m/^\d+$/) { $query .= "$data\, "; } > else { $query .= "\'$data\'\, "; } The original poster wanted to make sure the values were properly quoted. If any "'" characters are in $character, the SQL you've given will not parse correctly, if the user is lucky. If the user is unlucky, it could contain malicious SQL. DBI already includes a method for properly quoting values. Oddly enough it is named quote(). Read the fine manual to learn about it. That said, for DBDs that support them (including DBD::Oracle), placeholders are far superior. Again http://xmlproj.com/fom-serve/cache/49.html . > > -----Original Message----- > > From: Michael A Chase [mailto:[EMAIL PROTECTED] > > Sent: Saturday, March 08, 2003 9:02 PM > > To: [EMAIL PROTECTED]; Rob Benton > > Subject: Re: need some advice > > Placeholders. There are examples of using them in the fine > > DBI and DBD::Oracle manuals and in DBD-Oracle-xxx/Oracle.ex/ . > > > http://xmlproj.com/fom-serve/cache/49.html -- Mac :}) ** I normally forward private questions to the appropriate mail list. ** Ask Smarter: http://www.catb.org/~esr/faqs/smart-questions.html Give a hobbit a fish and he eats fish for a day. Give a hobbit a ring and he eats fish for an age.