Here, I'll try and be more helpful than berating. I'm sorry I'm having
a bad day. The code below is not totally complete. Some error
handling needs to be added for sure. I would consider this to be psuedo
code simply because I did not check my work for syntax. I think it
fairly accruate though.
## this assumes you want to insert all form elements
my $cgi = CGI->new();
my $dbh = DBI->connect(<connect info goes here>);
my $sql = "INSERT INTO table (";
my $val = "values(";
my $array_ref = [];
## build your statement assuming the form element names are
## the same as your column names.
foreach ( $cgi->param() ){
$sql .= "$_,";
$val .= "?,";
push(@{$array_ref}, $cgi->param($_));
}
$sql =~ s/,$/) /; ## strip the last comma and add a closing paren.
$val =~ s/,$/)/;
my $sth = $dbh->prepare($sql.$val);
my $result = $sth->execute($array_ref);
$dbh->commit(); ## if autocommit is not on.
Ian Harisay wrote:
Are you not listening to these people giving you helpful advice? Use
the placeholders. I gaurantee you will be glad you did. C'mon man!!!
Embrace the change.
Rob Benton wrote:
There won't be any ['"] (read that as reg. expression) inside the fields
so that's not a problem. All I need to do is decide whether to
single-quote the variable based on its data-type. Also this will just
be a select statement.
On Mon, 2003-03-10 at 09:39, Dan Muey wrote:
On Mon, 10 Mar 2003 08:18:31 -0600 Dan Muey <[EMAIL PROTECTED]>
wrote:
Since you know how your table is structured :
$query ="INSERT INTO stuff VALUES(NULL,$num,\'$character\')";
Or if you wanted to do it dynamically :
$query = "INSERT INTO stuff VALUES(";
if($data =~ m/^\d+$/) { $query .= "$data\, "; }
else { $query .= "\'$data\'\, "; }
The original poster wanted to make sure the values were properly
quoted. If any "'" characters are in $character,
Aahhh gotcha, in that case yes definitely use quote() because it
will take care of any charcaters that could casue problems and not
just single quotes ( IE "(), etc.. )
Sorry for misunderstanding
DMuey
the SQL you've given will not parse correctly, if the user is
lucky. If the user is unlucky, it could contain malicious SQL.
DBI already includes a method for properly quoting values. Oddly
enough it is named quote(). Read the fine manual to learn about it.
That said, for DBDs that support them (including DBD::Oracle),
placeholders are far superior.
Again http://xmlproj.com/fom-serve/cache/49.html .
-----Original Message-----
From: Michael A Chase [mailto:[EMAIL PROTECTED]
Sent: Saturday, March 08, 2003 9:02 PM
To: [EMAIL PROTECTED]; Rob Benton
Subject: Re: need some advice
Placeholders. There are examples of using them in the fine
DBI and DBD::Oracle manuals and in DBD-Oracle-xxx/Oracle.ex/ .
http://xmlproj.com/fom-serve/cache/49.html
--
Mac :})
** I normally forward private questions to the appropriate mail
list. ** Ask Smarter: http://www.catb.org/~esr/faqs/smart->
questions.html
Give a hobbit a fish and he eats fish for a day.
Give a hobbit a ring and he eats fish for an age.