Updating lots of database fields in a single row

William Blunn bill+london.pm at blunn.org
Wed Jan 23 10:53:16 GMT 2013


On 23/01/2013 10:21, Jérôme Étévé wrote:
> Something critical is missing in your code though: quoting:
>
> Replace $field = '$hash->{$field}' with " $field 
> =".$dbh->quote($hash->{$field})
>
> The DBI quote method will 'do the right thing to avoid screwing up 
> your queries'. http://search.cpan.org/dist/DBI/DBI.pm#quote 

We shouldn't be doing anything to encourage people to include variable 
values directly into queries.

If we feel we must mention quoting helper methods, this should be 
clearly qualified with words to the effect that including variable 
values directly into queries is considered poor practice, and best 
practice is to use placeholders and bindings.

Regards,

Bill


More information about the london.pm mailing list