Jared Still [mailto:[EMAIL PROTECTED] wrote:
> Here's a fun and slightly obfuscated method to do that:
>
> my $usql=q{select username from dba_users};
> my $aryRef = $dbh->selectall_arrayref($usql);
> my @users = map { $aryRef->[$_][0] } 0..$#{$aryRef};
> my $newSql = q{select from users where username in ('}
> . join(q{','},@users) . q{')};
>
> print "$newSql\n";
Regardless of the method you use to construct the query, you should not
quote the values by hand. This approach will fail if a value contains a
single quote, and may make you vulnerable to SQL injection attacks.
Instead, either call $dbh->quote() or use placeholders. For example:
my @users = map $_->[0], @$aryRef;
my $newSql = 'SELECT FROM users WHERE username IN (' .
join(', ', map $dbh->quote($_), @users) . ')';
Ronald
