On Fri, Dec 05, 2003 at 02:01:15PM +0100, Jenda Krynicky wrote: > From: "Avis, Ed" <[EMAIL PROTECTED]> > > I think the moral of the story is that trying to intelligently quote > > special characters like ' is difficult to get right and too likely to > > have subtle problems. Better to just forbid the quotation mark: > > > > die "bad value $foo" if $foo =~ tr/'//; > > $sql = "select * from a where x = '$foo'"; > > This is usualy not a viable option. > Don't forget names like d'Artagnan or O'Connel :-) > > > Of course, you can go a stage further and have a list of good > > characters rather than trying to catch bad ones: but in this > > particular case you can assume that in SQL only another ' character > > can terminate a string quoted with '. If this is not the case please > > let me know! > > I'm afraid this depends on the database. I'd expect "\0" to be > problematic to some databases as well. > > > If you do need weird characters in your string, just use placeholders. > > I'd drop the first part of the sentence. > Just use placeholders!
Of course some drivers, the current DBD::mysql included, implement placeholders by escaping the value and embedding it into the SQL before sending the SQL to the server. You have to trust that the driver will do-the-right-thing for all possible placeholder values. Tim.
