On Feb 28, 2006, at 8:37 AM, Scott wrote:
I have a web form that we use to submit comments to a database,
however
some characters will make the insert fail. For instance usage of '
or ;.
Below is the snipit that handles this, perhaps I could be corrected
in the
errors of my ways.
$dbh->do("insert into email
(name, email, comments, host, agent) values
('$name', '$email', '$comment', '$ip', '$ua')");
Embedding variable directy into SQL will always yield this problem.
In fact it is worse because I can make you server delete records with
this.
It is much safer to use $dbh->prepare with placeholders then call
$sth->execute with your variables. See the DBI documentation http://
search.cpan.org/perldoc?DBI
Graham.
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Mason-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mason-users
