I believe placeholders (?) could be a better alternative to quote(). Handling of the IN operator was addressed by a thread last October, and additional information like placeholders which allows for possible prepare statement optimization. You can jump in on my contribution if you like, and then work your way through the thread...
http://www.nntp.perl.org/group/perl.dbi.users/24638 Aren't archives wonderful? -----Original Message----- From: Ronald J Kimball [mailto:[EMAIL PROTECTED] Sent: Thursday, May 26, 2005 7:06 AM To: 'Jared Still'; [EMAIL PROTECTED] Cc: DBI List Subject: RE: How to store query results in an array? Jared Still [mailto:[EMAIL PROTECTED] wrote: > Here's a fun and slightly obfuscated method to do that: > > my $usql=q{select username from dba_users}; > my $aryRef = $dbh->selectall_arrayref($usql); > my @users = map { $aryRef->[$_][0] } 0..$#{$aryRef}; > my $newSql = q{select from users where username in ('} > . join(q{','},@users) . q{')}; > > print "$newSql\n"; Regardless of the method you use to construct the query, you should not quote the values by hand. This approach will fail if a value contains a single quote, and may make you vulnerable to SQL injection attacks. Instead, either call $dbh->quote() or use placeholders. For example: my @users = map $_->[0], @$aryRef; my $newSql = 'SELECT FROM users WHERE username IN (' . join(', ', map $dbh->quote($_), @users) . ')'; Ronald
Brian Campbell (E-mail).vcf
Description: Binary data
