Updating lots of database fields in a single row

Abigail abigail at abigail.be
Wed Jan 23 11:09:17 GMT 2013

On Wed, Jan 23, 2013 at 10:53:16AM +0000, William Blunn wrote:
> On 23/01/2013 10:21, Jérôme Étévé wrote:
>> Something critical is missing in your code though: quoting:
>> Replace $field = '$hash->{$field}' with " $field  
>> =".$dbh->quote($hash->{$field})
>> The DBI quote method will 'do the right thing to avoid screwing up  
>> your queries'. http://search.cpan.org/dist/DBI/DBI.pm#quote 
> We shouldn't be doing anything to encourage people to include variable  
> values directly into queries.
> If we feel we must mention quoting helper methods, this should be  
> clearly qualified with words to the effect that including variable  
> values directly into queries is considered poor practice, and best  
> practice is to use placeholders and bindings.

I'd say that dogmas are poor practise.

Good practise is actually *knowing* when you should use placeholders,
and when there's no need.

Because someone who knows can actually be trusted to do variable
interpolation in places where placeholders cannot be used. Unlike
someone who goes "variable interpolation is baaaaaaad".


More information about the london.pm mailing list