In article <[EMAIL PROTECTED]>, "Eamon Daly" <[EMAIL PROTECTED]> writes:
> my $sql = sprintf <<'EOF', join(',', @array); > SELECT col2, col3, col4 > FROM table1 > WHERE col1 IN (%s) > EOF > my $sth = $dbh->prepare($sql); > $sth->execute() or die $sth->errstr(); This code is susceptible for an SQL injection attack. I'd use something like the following instead: my $sql = q{ SELECT col2, col3, col4 FROM table1 WHERE col1 IN (%s) }; my $sth = $dbh->prepare(sprintf $sql, join ',', map { $dbh->quote($_) } @array); $sth->execute() or die $sth->errstr(); -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]