On Wed, Jul 18, 2001 at 04:27:28PM +0100, David Wood wrote:
> Another point to mention is that DBI->quote looks not only at the value
> being inserted, but also to the data_type of the table/field it's going
> into, and replaces undef values with an unquoted NULL value, if
> appropriate. This is especially handy with the map DBI->quote method from
> earlier.
Just to clarify, you're talking about placeholders here, right? The quote()
method, when used standalone (i.e. $dbh->quote($foo)) can't possibly know
what the datatype of the field you're placing the value into.
> I guess it's just a case of applying the best solution for a given
> circumstance.
The only circumstance where the simple quoting method of "INSERT INTO foo
VALUES ('$bar', '$baz')" is appropriate is the one where you're absolutely,
positively, 100% certain $bar and $baz can never contain apostrophes. In my
experience, this circumstance never comes to be on its own, the programmer
has to force it by filtering the variables.
Granted, you can quote $bar and $baz beforehand, either with quotemeta or
DBI's quote method, but placeholders are easier.
Michael
--
Administrator www.shoebox.net
Programmer, System Administrator www.gallanttech.com
--
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
