perl_dbi_dbh_quote

This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.



Subject: RE: Passing CGI parameters to a SQL querry
From: "Marco Wise" <dbi@inxite.com>
Date: Wed, 9 Aug 2000 12:35:34 -0500




On Behalf Of Jeff Thies:
>
> Joe Grastara wrote:
> >
> > I am trying to pass form parameters to a SQL querry however, the script
> > keeps returning, 'no match'.  However when I substitute a an actual name
> > in the querry instead of a scalar, the script runs fine. Here is the
> > script I am using,
> >
> > #!/usr/local/bin/perl
> > use DBI;
> > use CGI qw(:standard);
> > $lastname=param("lastName");
> > $firstname=param("firstName");
> > my $dbh =
> > DBI->connect("$SID$","$UID","$PWD",{PrintError=>1}) or d
> > ie "Can't connect to Oracle database: $DBI::errstr\n";
> >
> > my $sth = $dbh->prepare("SELECT FIRST_NAME, LAST_NAME, TITLE, EMAIL FROM
> > PH.NAME
> > , PH.PERSON WHERE LAST_NAME='$lastname' AND
>
> Seems like a good example of why not to do it this way. The single quote
> around $lastname passes the string $lastname rather than the value
>
> my $sql=qq{SELECT FIRST_NAME, LAST_NAME, TITLE, EMAIL FROM PH.NAME
>  , PH.PERSON WHERE LAST_NAME="$lastname"};
>
> or better:
>
> my $sql=qq{SELECT FIRST_NAME, LAST_NAME, TITLE, EMAIL FROM PH.NAME
>  , PH.PERSON WHERE LAST_NAME=?};
> my $sth = $dbh->prepare($sql);
> $sth->execute($lastname);
>
>
> > PH.PERSON.PER_ID=PH.NAME.PER_ID");
> > $sth->execute();
> >
> > open (TABLEDATA, "> ~/tabledata.tab");
> >
> > @row = $sth->fetchrow_array();
> >
> > foreach $row (@row) {
> > print TABLEDATA "$row   ";
> > }
> > Thanks in advance for any help.

How about using $dbh->quote? This is more portable, too.

As in:
$quoted_lastname = $dbh->quote($lastname);

my $sth = $dbh->prepare("SELECT FIRST_NAME,
                                LAST_NAME,
                                TITLE,
                                EMAIL
                         FROM   PH.NAME,
                                PH.PERSON
                         WHERE  LAST_NAME=$quoted_lastname");


===

the rest of The Pile (a partial mailing list archive)

doom@kzsu.stanford.edu