Updating lots of database fields in a single row
Abigail
abigail at abigail.be
Wed Jan 23 11:09:17 GMT 2013
On Wed, Jan 23, 2013 at 10:53:16AM +0000, William Blunn wrote:
> On 23/01/2013 10:21, Jérôme Étévé wrote:
>> Something critical is missing in your code though: quoting:
>>
>> Replace $field = '$hash->{$field}' with " $field
>> =".$dbh->quote($hash->{$field})
>>
>> The DBI quote method will 'do the right thing to avoid screwing up
>> your queries'. http://search.cpan.org/dist/DBI/DBI.pm#quote
>
> We shouldn't be doing anything to encourage people to include variable
> values directly into queries.
>
> If we feel we must mention quoting helper methods, this should be
> clearly qualified with words to the effect that including variable
> values directly into queries is considered poor practice, and best
> practice is to use placeholders and bindings.
I'd say that dogmas are poor practise.
Good practise is actually *knowing* when you should use placeholders,
and when there's no need.
Because someone who knows can actually be trusted to do variable
interpolation in places where placeholders cannot be used. Unlike
someone who goes "variable interpolation is baaaaaaad".
Abigail
More information about the london.pm
mailing list