Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to insert text into mysql having quotes using perl

Tags:

mysql

perl

How to insert text into mysql having quotes using perl ? It seems difficult to insert text containing ' & ". I'm using Perl DBI module & DB is mysql.

UPDATE:

here is my query

my $s = "INSERT INTO comment(guid,review_id) VALUES ('$guid','$review_id')";
like image 327
Mandar Pande Avatar asked May 26 '11 07:05

Mandar Pande


2 Answers

You should read section 'Placeholders and Bind Values' in man DBI

EDIT: added example

my $s = "insert into comment(guid,review_id) values (?, ?)";
$dbh->do( $s, undef, $guid, $review_id) or die $dbh->errstr;
like image 162
AlexD Avatar answered Sep 30 '22 04:09

AlexD


Your old query would have been something like this:

my $s = "insert into comment(guid,review_id) values ('$guid','$review_id')";
$dbh->do($s);

The better way, using placeholders and bind values as per @AlexD's answer, would look like this:

my $sth = $dbh->prepare("insert into comment(guid,review_id) values (?, ?)";);
$sth->execute($guid, $review_id);

To learn about the security risks of your first approach, have a look at SQL injection attacks on Wikipedia.

like image 25
Tom Shaw Avatar answered Sep 30 '22 04:09

Tom Shaw