Re: problem with passing variables

2011-12-30 Thread Shlomi Fish
Hi Mark, On Fri, 30 Dec 2011 14:19:04 -0500 Mark Haney wrote: > On 12/30/2011 12:50 PM, Igor Dovgiy wrote: > > If you pass into SQL query something assigned by user, use > > placeholders by all means. ) It's not that hard, but it'll save you a > > lot of headaches, believe me. ) > > > > 2011/1

Re: problem with passing variables

2011-12-30 Thread Mark Haney
On 12/30/2011 12:50 PM, Igor Dovgiy wrote: If you pass into SQL query something assigned by user, use placeholders by all means. ) It's not that hard, but it'll save you a lot of headaches, believe me. ) 2011/12/30 Mark Haney mailto:ma...@abemblem.com>> But there's another (and in my opi

Re: problem with passing variables

2011-12-30 Thread Igor Dovgiy
If you pass into SQL query something assigned by user, use placeholders by all means. ) It's not that hard, but it'll save you a lot of headaches, believe me. ) 2011/12/30 Mark Haney > But there's another (and in my opinion, usually better) way: using > prepared sql statement: > my $sth = $dbh->

Re: problem with passing variables

2011-12-30 Thread Shlomi Fish
Hi Mark, On Fri, 30 Dec 2011 12:39:04 -0500 Mark Haney wrote: > On 12/30/2011 12:30 PM, Igor Dovgiy wrote: > > Hi Mark, > > > > If your variables are strictly internal and by no means might be ever > > tainted (read: user input), what you're doing is mostly ok. > > But you need to quote the dat

Re: problem with passing variables

2011-12-30 Thread Mark Haney
On 12/30/2011 12:30 PM, Igor Dovgiy wrote: Hi Mark, If your variables are strictly internal and by no means might be ever tainted (read: user input), what you're doing is mostly ok. But you need to quote the dates passed within query itself, like this: my $sql = qq/SELECT * FROM `events` WHER

Re: problem with passing variables

2011-12-30 Thread Shlomi Fish
On Fri, 30 Dec 2011 12:08:50 -0500 Mark Haney wrote: > I'm not sure if this is the right list for this, so bear with me. If it > isn't I'll be glad to post it on the correct one. > > I've got a problem with passing variables to a SQL server inside a CGI > script. My code is like this: > > m

Re: problem with passing variables

2011-12-30 Thread Igor Dovgiy
Hi Mark, If your variables are strictly internal and by no means might be ever tainted (read: user input), what you're doing is mostly ok. But you need to quote the dates passed within query itself, like this: my $sql = qq/SELECT * FROM `events` WHERE `date` BETWEEN '$begin_time' AND '$end_time'/