Re: Trapping error for $dbh-do()
Just three points: * Pasting values into the SQL command requires careful quoting. Parameters do this automatically. * Failing to quote correctly allows SQL injection, a common exploit for www tools, but this is also possible with command line and GUI tools. With parameters, the DBD::whatever takes care of quoting as a last resort, but usually, parameter values and command are transported separately to the database. So SQL injection is IMPOSSIBLE when using parameters. (Unless the DBD::whatever has a severe bug.) * Pasting values into SQL command requires to parse the SQL for each set of values. Using a single prepare() and repeated execute()s requires to parse only once, the parser result can be recycled. This makes things faster. prepare_cached() accelerates further. Alexander Loo, Peter # PHX wrote: Hi Alexander, Thanks for your kind input. Completely understood except the sentence starting with NEVER, NEVER Will you kindly explain? Thanks again. Peter -Original Message- From: Alexander Foken [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 2:11 PM To: Loo, Peter # PHX Cc: dbi-users@perl.org Subject: Re: Trapping error for $dbh-do() Quoting the DBI man page http://search.cpan.org/~timb/DBI-1.55/DBI.pm#Database_Handle_Methods: do $rows = $dbh-do($statement) or die $dbh-errstr; $rows = $dbh-do($statement, \%attr) or die $dbh-errstr; $rows = $dbh-do($statement, \%attr, @bind_values) or die ... Prepare and execute a *SINGLE* statement. If your DBD seems to support mutliple statements in a single $dbh-do(), it does that by accident. If you need all or nothing, read about transactions: http://search.cpan.org/~timb/DBI-1.55/DBI.pm#Transactions If you just need to process several SQL commands, use a loop. my @statements=(...); foreach my $st (@statements) { $dbh-do($st); } With transactions, you would wrap the entire loop and the final commit inside an eval BLOCK, and call rollback if $@ is true after the eval. NEVER, NEVER, NEVER put values inside the SQL statements, this begs for trouble and usually performs suboptimal. Hope that helps, Alexander Loo, Peter # PHX wrote: Hi, I am trying to execute multi SQL statements within the $dbh-do() and it appears to work fine except it does not give me an error when part of the SQL fails. For example: BEGIN WORK; CREATE TEMP TABLE p_temp AS SELECT col1 , col2 , col3 FROM table1 , table2 WHERE blah blah; INSERT INTO some_destination_table SELECT col1 , col2 , col3 , etc... FROM table1 , table2 , table3; COMMIT; The part that does the CREATE TEMP TABLE failed because one of the tables it is referencing does not exist, however, $dbh-do() did not return any error. I did in fact turned on the RaiseError in the connect statement. unless($dbh = DBI-connect(dbi:$dbDriver:$dbName, $dbUser, $dbPass, { RaiseError = 1 })) { $MESSAGE = ERROR: Connection failed to $dbName for user $dbUser.; print STDERR $MESSAGE\n\n; $STATUS = $FAILURE; sub_exit(); } I am also trying to trap $dbh-do() using eval. eval { $dbh-do($sqlString); }; if ($@) { $MESSAGE = ERROR: dbh-do($sqlString) failed. $@; print STDERR $MESSAGE\n\n; $STATUS = $FAILURE; sub_exit(); } Hope someone can shed some light for me. The versions I am using are: This is perl, v5.8.7 built for sun4-solaris $ perl -M'DBD::ODBC' -le 'print $DBD::ODBC::VERSION' 1.13 Thanks. Peter -- Alexander Foken mailto:[EMAIL PROTECTED] http://www.foken.de/alexander/ This E-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply E-mail, and destroy all copies of the original message. -- Alexander Foken mailto:[EMAIL PROTECTED] http://www.foken.de/alexander/
Trapping error for $dbh-do()
Hi, I am trying to execute multi SQL statements within the $dbh-do() and it appears to work fine except it does not give me an error when part of the SQL fails. For example: BEGIN WORK; CREATE TEMP TABLE p_temp AS SELECT col1 , col2 , col3 FROM table1 , table2 WHERE blah blah; INSERT INTO some_destination_table SELECT col1 , col2 , col3 , etc... FROM table1 , table2 , table3; COMMIT; The part that does the CREATE TEMP TABLE failed because one of the tables it is referencing does not exist, however, $dbh-do() did not return any error. I did in fact turned on the RaiseError in the connect statement. unless($dbh = DBI-connect(dbi:$dbDriver:$dbName, $dbUser, $dbPass, { RaiseError = 1 })) { $MESSAGE = ERROR: Connection failed to $dbName for user $dbUser.; print STDERR $MESSAGE\n\n; $STATUS = $FAILURE; sub_exit(); } I am also trying to trap $dbh-do() using eval. eval { $dbh-do($sqlString); }; if ($@) { $MESSAGE = ERROR: dbh-do($sqlString) failed. $@; print STDERR $MESSAGE\n\n; $STATUS = $FAILURE; sub_exit(); } Hope someone can shed some light for me. The versions I am using are: This is perl, v5.8.7 built for sun4-solaris $ perl -M'DBD::ODBC' -le 'print $DBD::ODBC::VERSION' 1.13 Thanks. Peter
Re: Trapping error for $dbh-do()
Quoting the DBI man page http://search.cpan.org/~timb/DBI-1.55/DBI.pm#Database_Handle_Methods: do $rows = $dbh-do($statement) or die $dbh-errstr; $rows = $dbh-do($statement, \%attr) or die $dbh-errstr; $rows = $dbh-do($statement, \%attr, @bind_values) or die ... Prepare and execute a *SINGLE* statement. If your DBD seems to support mutliple statements in a single $dbh-do(), it does that by accident. If you need all or nothing, read about transactions: http://search.cpan.org/~timb/DBI-1.55/DBI.pm#Transactions If you just need to process several SQL commands, use a loop. my @statements=(...); foreach my $st (@statements) { $dbh-do($st); } With transactions, you would wrap the entire loop and the final commit inside an eval BLOCK, and call rollback if $@ is true after the eval. NEVER, NEVER, NEVER put values inside the SQL statements, this begs for trouble and usually performs suboptimal. Hope that helps, Alexander Loo, Peter # PHX wrote: Hi, I am trying to execute multi SQL statements within the $dbh-do() and it appears to work fine except it does not give me an error when part of the SQL fails. For example: BEGIN WORK; CREATE TEMP TABLE p_temp AS SELECT col1 , col2 , col3 FROM table1 , table2 WHERE blah blah; INSERT INTO some_destination_table SELECT col1 , col2 , col3 , etc... FROM table1 , table2 , table3; COMMIT; The part that does the CREATE TEMP TABLE failed because one of the tables it is referencing does not exist, however, $dbh-do() did not return any error. I did in fact turned on the RaiseError in the connect statement. unless($dbh = DBI-connect(dbi:$dbDriver:$dbName, $dbUser, $dbPass, { RaiseError = 1 })) { $MESSAGE = ERROR: Connection failed to $dbName for user $dbUser.; print STDERR $MESSAGE\n\n; $STATUS = $FAILURE; sub_exit(); } I am also trying to trap $dbh-do() using eval. eval { $dbh-do($sqlString); }; if ($@) { $MESSAGE = ERROR: dbh-do($sqlString) failed. $@; print STDERR $MESSAGE\n\n; $STATUS = $FAILURE; sub_exit(); } Hope someone can shed some light for me. The versions I am using are: This is perl, v5.8.7 built for sun4-solaris $ perl -M'DBD::ODBC' -le 'print $DBD::ODBC::VERSION' 1.13 Thanks. Peter -- Alexander Foken mailto:[EMAIL PROTECTED] http://www.foken.de/alexander/
RE: Trapping error for $dbh-do()
Hi Alexander, Thanks for your kind input. Completely understood except the sentence starting with NEVER, NEVER Will you kindly explain? Thanks again. Peter -Original Message- From: Alexander Foken [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 2:11 PM To: Loo, Peter # PHX Cc: dbi-users@perl.org Subject: Re: Trapping error for $dbh-do() Quoting the DBI man page http://search.cpan.org/~timb/DBI-1.55/DBI.pm#Database_Handle_Methods: do $rows = $dbh-do($statement) or die $dbh-errstr; $rows = $dbh-do($statement, \%attr) or die $dbh-errstr; $rows = $dbh-do($statement, \%attr, @bind_values) or die ... Prepare and execute a *SINGLE* statement. If your DBD seems to support mutliple statements in a single $dbh-do(), it does that by accident. If you need all or nothing, read about transactions: http://search.cpan.org/~timb/DBI-1.55/DBI.pm#Transactions If you just need to process several SQL commands, use a loop. my @statements=(...); foreach my $st (@statements) { $dbh-do($st); } With transactions, you would wrap the entire loop and the final commit inside an eval BLOCK, and call rollback if $@ is true after the eval. NEVER, NEVER, NEVER put values inside the SQL statements, this begs for trouble and usually performs suboptimal. Hope that helps, Alexander Loo, Peter # PHX wrote: Hi, I am trying to execute multi SQL statements within the $dbh-do() and it appears to work fine except it does not give me an error when part of the SQL fails. For example: BEGIN WORK; CREATE TEMP TABLE p_temp AS SELECT col1 , col2 , col3 FROM table1 , table2 WHERE blah blah; INSERT INTO some_destination_table SELECT col1 , col2 , col3 , etc... FROM table1 , table2 , table3; COMMIT; The part that does the CREATE TEMP TABLE failed because one of the tables it is referencing does not exist, however, $dbh-do() did not return any error. I did in fact turned on the RaiseError in the connect statement. unless($dbh = DBI-connect(dbi:$dbDriver:$dbName, $dbUser, $dbPass, { RaiseError = 1 })) { $MESSAGE = ERROR: Connection failed to $dbName for user $dbUser.; print STDERR $MESSAGE\n\n; $STATUS = $FAILURE; sub_exit(); } I am also trying to trap $dbh-do() using eval. eval { $dbh-do($sqlString); }; if ($@) { $MESSAGE = ERROR: dbh-do($sqlString) failed. $@; print STDERR $MESSAGE\n\n; $STATUS = $FAILURE; sub_exit(); } Hope someone can shed some light for me. The versions I am using are: This is perl, v5.8.7 built for sun4-solaris $ perl -M'DBD::ODBC' -le 'print $DBD::ODBC::VERSION' 1.13 Thanks. Peter -- Alexander Foken mailto:[EMAIL PROTECTED] http://www.foken.de/alexander/ This E-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply E-mail, and destroy all copies of the original message.
Re: Trapping error for $dbh-do()
Hello Basically the reason for substitution variables.. the statement SELECT * from my_table where col1 = 0 and col2 = 1 and col3 -3 where the predicate would be supplied by the substitution variables :0 and :1 and :2 as in my $sth=$dbh-prepare(select * from my_table where col1=:0 and col2=:1 and col3=:2); Martin-- This email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notify the sender immediately by telephone or email and destroy the original message without making a copy. Thank you. - Original Message - From: Loo, Peter # PHX [EMAIL PROTECTED] To: Alexander Foken [EMAIL PROTECTED] Cc: dbi-users@perl.org Sent: Tuesday, May 08, 2007 5:44 PM Subject: RE: Trapping error for $dbh-do() Hi Alexander, Thanks for your kind input. Completely understood except the sentence starting with NEVER, NEVER Will you kindly explain? Thanks again. Peter -Original Message- From: Alexander Foken [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 08, 2007 2:11 PM To: Loo, Peter # PHX Cc: dbi-users@perl.org Subject: Re: Trapping error for $dbh-do() Quoting the DBI man page http://search.cpan.org/~timb/DBI-1.55/DBI.pm#Database_Handle_Methods: do $rows = $dbh-do($statement) or die $dbh-errstr; $rows = $dbh-do($statement, \%attr) or die $dbh-errstr; $rows = $dbh-do($statement, \%attr, @bind_values) or die ... Prepare and execute a *SINGLE* statement. If your DBD seems to support mutliple statements in a single $dbh-do(), it does that by accident. If you need all or nothing, read about transactions: http://search.cpan.org/~timb/DBI-1.55/DBI.pm#Transactions If you just need to process several SQL commands, use a loop. my @statements=(...); foreach my $st (@statements) { $dbh-do($st); } With transactions, you would wrap the entire loop and the final commit inside an eval BLOCK, and call rollback if $@ is true after the eval. NEVER, NEVER, NEVER put values inside the SQL statements, this begs for trouble and usually performs suboptimal. Hope that helps, Alexander Loo, Peter # PHX wrote: Hi, I am trying to execute multi SQL statements within the $dbh-do() and it appears to work fine except it does not give me an error when part of the SQL fails. For example: BEGIN WORK; CREATE TEMP TABLE p_temp AS SELECT col1 , col2 , col3 FROM table1 , table2 WHERE blah blah; INSERT INTO some_destination_table SELECT col1 , col2 , col3 , etc... FROM table1 , table2 , table3; COMMIT; The part that does the CREATE TEMP TABLE failed because one of the tables it is referencing does not exist, however, $dbh-do() did not return any error. I did in fact turned on the RaiseError in the connect statement. unless($dbh = DBI-connect(dbi:$dbDriver:$dbName, $dbUser, $dbPass, { RaiseError = 1 })) { $MESSAGE = ERROR: Connection failed to $dbName for user $dbUser.; print STDERR $MESSAGE\n\n; $STATUS = $FAILURE; sub_exit(); } I am also trying to trap $dbh-do() using eval. eval { $dbh-do($sqlString); }; if ($@) { $MESSAGE = ERROR: dbh-do($sqlString) failed. $@; print STDERR $MESSAGE\n\n; $STATUS = $FAILURE; sub_exit(); } Hope someone can shed some light for me. The versions I am using are: This is perl, v5.8.7 built for sun4-solaris $ perl -M'DBD::ODBC' -le 'print $DBD::ODBC::VERSION' 1.13 Thanks. Peter -- Alexander Foken mailto:[EMAIL PROTECTED] http://www.foken.de/alexander/ This E-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply E-mail, and destroy all copies of the original message.