>
> On Mon, 10 Mar 2003 08:18:31 -0600 Dan Muey
> <[EMAIL PROTECTED]> wrote:
>
> > Since you know how your table is structured :
> >
> > $query ="INSERT INTO stuff VALUES(NULL,$num,\'$character\')";
> >
> > Or if you wanted to do it dynamically :
> >
> > $query = "INSERT INTO stuff VALUES(";
> > if($data =~ m/^\d+$/) { $query .= "$data\, "; }
> > else { $query .= "\'$data\'\, "; }
>
> The original poster wanted to make sure the values were
> properly quoted. If any "'" characters are in $character,
Aahhh gotcha, in that case yes definitely use quote() because it will take care of
any charcaters that could casue problems and not just single quotes ( IE "(), etc.. )
Sorry for misunderstanding
DMuey
> the SQL you've given will not parse correctly, if the user is
> lucky. If the user is unlucky, it could contain malicious SQL.
>
> DBI already includes a method for properly quoting values.
> Oddly enough it is named quote(). Read the fine manual to
> learn about it.
>
> That said, for DBDs that support them (including
> DBD::Oracle), placeholders are far superior.
>
> Again http://xmlproj.com/fom-serve/cache/49.html .
>
> > > -----Original Message-----
> > > From: Michael A Chase [mailto:[EMAIL PROTECTED]
> > > Sent: Saturday, March 08, 2003 9:02 PM
> > > To: [EMAIL PROTECTED]; Rob Benton
> > > Subject: Re: need some advice
>
> > > Placeholders. There are examples of using them in the fine
> > > DBI and DBD::Oracle manuals and in DBD-Oracle-xxx/Oracle.ex/ .
> > >
> > http://xmlproj.com/fom-serve/cache/49.html
>
> --
> Mac :})
> ** I normally forward private questions to the appropriate
> mail list. ** Ask Smarter:
> http://www.catb.org/~esr/faqs/smart-> questions.html
> Give a
> hobbit a fish and he eats fish for a
> day.
> Give a hobbit a ring and he eats fish for an age.
>
>
