Updating lots of database fields in a single row
William Blunn
bill+london.pm at blunn.org
Wed Jan 23 10:53:16 GMT 2013
On 23/01/2013 10:21, Jérôme Étévé wrote:
> Something critical is missing in your code though: quoting:
>
> Replace $field = '$hash->{$field}' with " $field
> =".$dbh->quote($hash->{$field})
>
> The DBI quote method will 'do the right thing to avoid screwing up
> your queries'. http://search.cpan.org/dist/DBI/DBI.pm#quote
We shouldn't be doing anything to encourage people to include variable
values directly into queries.
If we feel we must mention quoting helper methods, this should be
clearly qualified with words to the effect that including variable
values directly into queries is considered poor practice, and best
practice is to use placeholders and bindings.
Regards,
Bill
More information about the london.pm
mailing list