On Jun 12, 8:48 am, [EMAIL PROTECTED] (Jenda Krynicky) wrote:
> From: "Mumia W." <[EMAIL PROTECTED]>
>
> > On 06/11/2007 06:52 PM, Northstardomus wrote:
> > > [...]
> > > print "<br/>Inserting into Database , @values.";
>
> > Use the "quotemeta" function to escape special characters
> > that may be in the values.
>
> Please don't!
>
>
>
>
>
> > my @values_copy = @values;
> > @values = map quotemeta($_), @values;
>
> > > $dbh->do("INSERT INTO area_status (areaID, survey_date,
> > > update_time,
>
> > > status ) VALUES ('$values[0]', '$values[1]', '$values[2]',
> > > '$values[3]')");
> > > $dbh->disconnect();
> > > }
> > > }
>
> > Read "perldoc -f quotemeta"
>
> Please do!
>
> The quotemeta() should NOT be used to escape data for the database.
> It was not designed for that and it knows nothing about your
> database. So it will most likely escape too much (it doesn't look too
> professional to display the text with backslashes scattered
> everywhere) and/or it may escape something in a different way than
> the database expects.
>
> Either use the DATABASE SPECIFIC $dbh->quote() or even better use
> $dbh->prepare() and placeholders. That's by far the safest and most
> efficient solution.
>
> Jenda
> ===== [EMAIL PROTECTED] ===http://Jenda.Krynicky.cz=====
> When it comes to wine, women and song, wizards are allowed
> to get drunk and croon as much as they like.
> -- Terry Pratchett in Sourcery- Hide quoted text -
>
> - Show quoted text -
I'll try the prepare ASAP (tonight at the earliest) and post the
results. For some reason, I thought that was what I was doing but
looking through the code it appears I haven't. Thanks!
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/
