On Thu, 2005-05-26 at 07:05, Ronald J Kimball wrote:
> Regardless of the method you use to construct the query, you should not
> quote the values by hand. This approach will fail if a value contains a
> single quote, and may make you vulnerable to SQL injection attacks.
Yes, thank you. A bad habit I should get out of.
> Instead, either call $dbh->quote() or use placeholders. For example:
>
> my @users = map $_->[0], @$aryRef;
> my $newSql = 'SELECT FROM users WHERE username IN (' .
> join(', ', map $dbh->quote($_), @users) . ')';
>
> Ronald
>
