On Jun 11, 2007, at 7:52 PM, Northstardomus wrote:
I have a Perl script where I try to strip some data from a web page
and insert it
into a database. I'm having a problem where, it seems like the method
of quoting
the data for insertion don't seem to be working (as far as escaping
the text) and
some of the text is ending up getting injected into the SQL command.
In this example, I am capturing the paragraphs of text and inserting
each HTML
paragraph into a new record. What seems to be hanging up the
insertion is the "or
die" portion of the text. It will also bomb if the text has a word
like "don't".
I thought the insertion mechanism I'm using would properly escape
these special
There are two methods of doing a "safe" insertion that I'm familiar
with under the DBI module.
I've never had a problem with either of these. But I've had many
problems when I don't use these.
Option one:
use the prepare statement
my $sql = "insert into table(name, address, state) values (?,?,?)";
my $sth = $dbh->prepare($sql);
...
$sth->execute($name,$address, $state);
This will automatically do proper escaping of the strings you want to
insert.
Option Two:
If for some reason it's not practical or possible to use the prepare
statement then you can use the DBI quote(). However, this is
generally rare.
my $sql = "insert into table(name) values (" . $dbh->quote($name) . ")";
$dbh->do($sql);
But option one is going to be your best bet.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/
