On Tue, Feb 26, 2002 at 07:13:52PM -0000, Angus Laycock wrote: > I am trying to handle parameters from UNIX that call a PERL script the uses > DBI, that then calls Sybase stored procedures. > > The problem I have found is that they don't pass the strings with single > quotes and dates are 02-27-02, again without quotes. So I tried to quote > them but found that they pass some numbers as well for "int" datatypes and > some are negative and some are positive.
With DBI quoting can be handled automatically with placeholders, or manually with the quote() method ($dbh->quote). These methods of quoting should be driver-specific, so it should handle the int datatypes correctly. I'd suggest using placeholders; you can read about them in perldoc DBI. With the method you're currently using, by manually quoting and joining, you're not accounting for single quotes in the data. Allowing such quotes through can, at best, cause SQL errors, at worst provide an exploit potential. Michael -- Administrator www.shoebox.net Programmer, System Administrator www.gallanttech.com -- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
