In article <[EMAIL PROTECTED]>,
"Eamon Daly" <[EMAIL PROTECTED]> writes:
> my $sql = sprintf <<'EOF', join(',', @array);
> SELECT col2, col3, col4
> FROM table1
> WHERE col1 IN (%s)
> EOF
> my $sth = $dbh->prepare($sql);
> $sth->execute() or die $sth->errstr();
This code is susceptible for an SQL injection attack. I'd use
something like the following instead:
my $sql = q{
SELECT col2, col3, col4
FROM table1
WHERE col1 IN (%s)
};
my $sth = $dbh->prepare(sprintf $sql,
join ',', map { $dbh->quote($_) } @array);
$sth->execute() or die $sth->errstr();
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
