This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: RE: Passing CGI parameters to a SQL querry From: "Marco Wise" <dbi@inxite.com> Date: Wed, 9 Aug 2000 12:35:34 -0500 On Behalf Of Jeff Thies: > > Joe Grastara wrote: > > > > I am trying to pass form parameters to a SQL querry however, the script > > keeps returning, 'no match'. However when I substitute a an actual name > > in the querry instead of a scalar, the script runs fine. Here is the > > script I am using, > > > > #!/usr/local/bin/perl > > use DBI; > > use CGI qw(:standard); > > $lastname=param("lastName"); > > $firstname=param("firstName"); > > my $dbh = > > DBI->connect("$SID$","$UID","$PWD",{PrintError=>1}) or d > > ie "Can't connect to Oracle database: $DBI::errstr\n"; > > > > my $sth = $dbh->prepare("SELECT FIRST_NAME, LAST_NAME, TITLE, EMAIL FROM > > PH.NAME > > , PH.PERSON WHERE LAST_NAME='$lastname' AND > > Seems like a good example of why not to do it this way. The single quote > around $lastname passes the string $lastname rather than the value > > my $sql=qq{SELECT FIRST_NAME, LAST_NAME, TITLE, EMAIL FROM PH.NAME > , PH.PERSON WHERE LAST_NAME="$lastname"}; > > or better: > > my $sql=qq{SELECT FIRST_NAME, LAST_NAME, TITLE, EMAIL FROM PH.NAME > , PH.PERSON WHERE LAST_NAME=?}; > my $sth = $dbh->prepare($sql); > $sth->execute($lastname); > > > > PH.PERSON.PER_ID=PH.NAME.PER_ID"); > > $sth->execute(); > > > > open (TABLEDATA, "> ~/tabledata.tab"); > > > > @row = $sth->fetchrow_array(); > > > > foreach $row (@row) { > > print TABLEDATA "$row "; > > } > > Thanks in advance for any help. How about using $dbh->quote? This is more portable, too. As in: $quoted_lastname = $dbh->quote($lastname); my $sth = $dbh->prepare("SELECT FIRST_NAME, LAST_NAME, TITLE, EMAIL FROM PH.NAME, PH.PERSON WHERE LAST_NAME=$quoted_lastname"); ===