From: "Avis, Ed" <[EMAIL PROTECTED]> > I think the moral of the story is that trying to intelligently quote > special characters like ' is difficult to get right and too likely to > have subtle problems. Better to just forbid the quotation mark: > > die "bad value $foo" if $foo =~ tr/'//; > $sql = "select * from a where x = '$foo'";
This is usualy not a viable option. Don't forget names like d'Artagnan or O'Connel :-) > Of course, you can go a stage further and have a list of good > characters rather than trying to catch bad ones: but in this > particular case you can assume that in SQL only another ' character > can terminate a string quoted with '. If this is not the case please > let me know! I'm afraid this depends on the database. I'd expect "\0" to be problematic to some databases as well. > If you do need weird characters in your string, just use placeholders. I'd drop the first part of the sentence. Just use placeholders! Jenda ===== [EMAIL PROTECTED] === http://Jenda.Krynicky.cz ===== When it comes to wine, women and song, wizards are allowed to get drunk and croon as much as they like. -- Terry Pratchett in Sourcery
