OK I see what you're doing. What I would need to do is just tweak that
a little. I would need something like:
foearch ($cgi->param() ) {
if ( <some test on the type here> ) {
$dbh->quote($_);
}
$sql .= "$_,";
$val .= "?,";
push(@{$array_ref}, $cgi->param($_));
}
Does that make any sense?
On Mon, 2003-03-10 at 12:45, Ian Harisay wrote:
> Here, I'll try and be more helpful than berating. I'm sorry I'm having
> a bad day. The code below is not totally complete. Some error
> handling needs to be added for sure. I would consider this to be psuedo
> code simply because I did not check my work for syntax. I think it
> fairly accruate though.
>
> ## this assumes you want to insert all form elements
> my $cgi = CGI->new();
> my $dbh = DBI->connect(<connect info goes here>);
>
> my $sql = "INSERT INTO table (";
> my $val = "values(";
> my $array_ref = [];
>
> ## build your statement assuming the form element names are
> ## the same as your column names.
> foreach ( $cgi->param() ){
> $sql .= "$_,";
> $val .= "?,";
> push(@{$array_ref}, $cgi->param($_));
> }
> $sql =~ s/,$/) /; ## strip the last comma and add a closing paren.
> $val =~ s/,$/)/;
>
> my $sth = $dbh->prepare($sql.$val);
> my $result = $sth->execute($array_ref);
>
> $dbh->commit(); ## if autocommit is not on.
> Ian Harisay wrote:
>
> > Are you not listening to these people giving you helpful advice? Use
> > the placeholders. I gaurantee you will be glad you did. C'mon man!!!
> > Embrace the change.
> >
> > Rob Benton wrote:
> >
> >> There won't be any ['"] (read that as reg. expression) inside the fields
> >> so that's not a problem. All I need to do is decide whether to
> >> single-quote the variable based on its data-type. Also this will just
> >> be a select statement.
> >>
> >> On Mon, 2003-03-10 at 09:39, Dan Muey wrote:
> >>
> >>
> >>>> On Mon, 10 Mar 2003 08:18:31 -0600 Dan Muey <[EMAIL PROTECTED]>
> >>>> wrote:
> >>>>
> >>>>
> >>>>
> >>>>> Since you know how your table is structured :
> >>>>>
> >>>>> $query ="INSERT INTO stuff VALUES(NULL,$num,\'$character\')";
> >>>>>
> >>>>> Or if you wanted to do it dynamically :
> >>>>>
> >>>>> $query = "INSERT INTO stuff VALUES(";
> >>>>> if($data =~ m/^\d+$/) { $query .= "$data\, "; }
> >>>>> else { $query .= "\'$data\'\, "; }
> >>>>>
> >>>>
> >>>> The original poster wanted to make sure the values were properly
> >>>> quoted. If any "'" characters are in $character,
> >>>
> >>> Aahhh gotcha, in that case yes definitely use quote() because it
> >>> will take care of any charcaters that could casue problems and not
> >>> just single quotes ( IE "(), etc.. )
> >>>
> >>> Sorry for misunderstanding
> >>>
> >>> DMuey
> >>>
> >>>
> >>>
> >>>> the SQL you've given will not parse correctly, if the user is
> >>>> lucky. If the user is unlucky, it could contain malicious SQL.
> >>>>
> >>>> DBI already includes a method for properly quoting values. Oddly
> >>>> enough it is named quote(). Read the fine manual to learn about it.
> >>>>
> >>>> That said, for DBDs that support them (including DBD::Oracle),
> >>>> placeholders are far superior.
> >>>>
> >>>> Again http://xmlproj.com/fom-serve/cache/49.html .
> >>>>
> >>>>
> >>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Michael A Chase [mailto:[EMAIL PROTECTED]
> >>>>>> Sent: Saturday, March 08, 2003 9:02 PM
> >>>>>> To: [EMAIL PROTECTED]; Rob Benton
> >>>>>> Subject: Re: need some advice
> >>>>>>
> >>>>>> Placeholders. There are examples of using them in the fine
> >>>>>> DBI and DBD::Oracle manuals and in DBD-Oracle-xxx/Oracle.ex/ .
> >>>>>>
> >>>>>>
> >>>>>
> >>>>> http://xmlproj.com/fom-serve/cache/49.html
> >>>>>
> >>>>
> >>>> --
> >>>> Mac :})
> >>>> ** I normally forward private questions to the appropriate mail
> >>>> list. ** Ask Smarter: http://www.catb.org/~esr/faqs/smart->
> >>>> questions.html
> >>>> Give a hobbit a fish and he eats fish for a day.
> >>>> Give a hobbit a ring and he eats fish for an age.
> >>>>
> >>>>
> >>>>
> >>>
> >>
> >>
> >>
> >>
> >
> >
>
>
>
