"David Gilden" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> One final question here on my SQL -- PERL DBI
>
>
> the following is wrong -- it does not work !
>
> $sql = qq|insert into $table_name values
(null,now(),"$email","$name","$comments");|;
> $sql = $dbh->quote($sql); ## this line
> $sth = $dbh->prepare($sql);
Right. You dont want to quote the whole SQL statement.
>
> if I do this:
>
> $name = $dbh->quote(param('Name'));
> $email = param('Email');
> $comments = $dbh->quote(param('Comments'));
>
> $sql = qq|insert into $table_name values
(null,now(),"$email","$name","$comments");|;
> $sth = $dbh->prepare($sql);
>
> It works, it escapes \'s just fine but also adds 'around the text string'.
> I just want to escape \'s
Right it prepares the value for embedding in a SQL statement. If you drop
the double quotes in your assignment to $sql, it will work.
>
> I was using:
> $value =~ s/'/\\'/g; # escape 's
>
> Wiggins d'Anconia suggested using DBI to do escape \'s. Did I miss
something in the perldoc DBI ?
>
I would use placeholders:
$sql = 'insert into $table_name values (null, now(), ?, ?, ?)';
$sth = $dbh->prepare($sql);
$sth->execute( param('Name'), param('Email'), param('Comments') );
the execute() method will run each of its arguments through quote() for you,
so you dont have to think about it.
Todd W.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
