On Fri, 30 Dec 2011 12:08:50 -0500
Mark Haney <ma...@abemblem.com> wrote:
> I'm not sure if this is the right list for this, so bear with me. If it
> isn't I'll be glad to post it on the correct one.
>
> I've got a problem with passing variables to a SQL server inside a CGI
> script. My code is like this:
>
> my $begin_time = "2011-11-16 11:00:00";
> my $end_time = "2011-11-16 12:00:00";
>
> my $dbh = DBI->connect('dbi:mysql:database=embdev', 'user', 'password');
>
> my $sql = q/SELECT * FROM events WHERE date BETWEEN $begin_time and
> $end_time/;
>
> my $sth = $dbh->prepare($sql);
> $sth->execute();
>
> I'm not sure why it's not using the the variables, can someone point out
> what I'm doing wrong?
>
Please use placeholders:
* http://en.wikipedia.org/wiki/SQL_injection
* http://bobby-tables.com/
The problem with your code is that Perl only expands variables inside strings
(called "string-interpolation") only when these strings are notated - not later
on. The best way to solve it is using placeholders, which will also help
mitigate SQL injection problems.
Regards,
Shlomi Fish
--
-----------------------------------------------------------------
Shlomi Fish http://www.shlomifish.org/
"The Human Hacking Field Guide" - http://shlom.in/hhfg
I’d love to change the world, but they won’t give me the source code.
— Unknown
Please reply to list if it's a mailing list post - http://shlom.in/reply .
--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/
