Deviloper wrote:
Hi,
I have to review (and tune) some sourcecode. I noticed that the developer
single-quoted or double-qouted some variables used in SQL-Statements.
$dbh->prepare("SELECT * FROM cars WHERE car_id='$id' AND car_date="$date" and AND
sale_price=$price");
$dbh->execute;
(Note:I know that this is terribly wrong and hurts while reading, but thats the
code I got.)
I want to make it better, but I donĀ“t know what I have to quote and what not,
because I am fresh to SQL and DBI.
my $query = qq/SELECT * FROM cars WHERE car_id=? AND car_date=? AND
sale_price=?/;
$dbh->execute($id, $date, $price);
or do I have to do it this way?
my $query = qq/SELECT * FROM cars WHERE car_id='?' AND car_date="?" AND
sale_price=?/;
$dbh->execute($id, $date, $price);
Thanks a lot,
(its no homework,)
B.
The former is the correct way. Quoting does not come into it when using
bound parameters.
Martin
--
Martin J. Evans
Easysoft Limited
http://www.easysoft.com
