Another reason the placeholders are a good idea is connections to the DB.
You need only prepare a statement using place holders once, then use the
handle for 10,000 executes (hypothetical number :)). If you use actual
values in the prepare, that uses a connection to the DB each time the
prepare is done until that handle is cleared.
It is known to be an issue with DBD:JDBC and clearing handles. best to
limit them.
My 2 cents....
-----Original Message-----
From: Curtis Poe [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 06, 2001 6:18 PM
To: CGI Beginners
Subject: RE: This n' that
--- Kris Cook <[EMAIL PROTECTED]> wrote:
> Ah. Both are easier. I especially like the here-doc method,
which is what
> I should have used. Thanks, Brett.
Might I suggest that you use placeholders? It has the benefit of
automatically quoting your
values for you. Amongst other benefits, you won't have to remember
to automatically quote your
data. For example, some poorly designed Web sites will crash if a
single quote mark ' is entered
into a field. This is because variables with embedded single
quotes must have those single quotes
escaped.
# This is bad
my $sql = qq{
INSERT INTO questions ( date, question, answer)
VALUES ( $date, $question, $answer)};
my $sth = $dbh->prepare($sql);
$sth->execute;
# This is good
my $sql = qq{
INSERT INTO questions ( date, question, answer)
VALUES ( ?,?,? )};
my $sth = $dbh->prepare($sql);
$sth->execute( $date, $question, $answer );
Cheers,
Curtis Poe
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
