[Pdx-pm] Escaping strings for SQL insertion
nat at powning.org
Tue Feb 15 16:18:34 PST 2005
On Tue, 15 Feb 2005, Roderick A. Anderson wrote:
> Win32::ODBC doesn't have ( from what I can tell ) quote/unquote
> functions and DBI only has quote. I'll be converting to DBI shortly and
> would bet I could kludge something together to unquote my strings before
> passing them back but in the mean time anyone have a quick method to
> make strings SQL safe or safe for SQL?
In good practice the strings should be kept separate from the query, in
DBI you should prepare your query using question marks as place holders
and set their values using bind_param.
More information about the Pdx-pm-list