2008/12/4 Deviloper <[EMAIL PROTECTED]>:
> I have to review (and tune) some sourcecode. I noticed that the developer
> single-quoted or double-qouted some variables used in SQL-Statements.
>
> $dbh->prepare("SELECT * FROM cars WHERE car_id='$id' AND car_date="$date" and
> AND sale_price=$price");
> $dbh->execute;
There is a risk of SQL injection attacks in this code, but you know that :)
> (Note:I know that this is terribly wrong and hurts while reading, but thats
> the code I got.)
>
> I want to make it better, but I donĀ“t know what I have to quote and what not,
> because I am fresh to SQL and DBI.
>
> my $query = qq/SELECT * FROM cars WHERE car_id=? AND car_date=? AND
> sale_price=?/;
> $dbh->execute($id, $date, $price);
This is the correct way - although you need to prepare the query
before executing it:
my $sql = qq/SELECT * FROM cars WHERE car_id=? AND car_date=? AND sale_price=?/;
my $query = $dbh->prepare( $sql );
$query->execute($id, $date, $price);
> or do I have to do it this way?
>
> my $query = qq/SELECT * FROM cars WHERE car_id='?' AND car_date="?" AND
> sale_price=?/;
> $dbh->execute($id, $date, $price);
>
> Thanks a lot,
> (its no homework,)
> B.
>
--
[EMAIL PROTECTED] - http://ecclestoad.co.uk
