A Non-Kludgey way to Escape MySQL quotes in Perl?

A Non-Kludgey way to Escape MySQL quotes in Perl?

Posted by: jerrykrinock
Posted on: 2006-07-11 09:47:00

I find that, even if the value is not a keyword, MySQL always wants it to be in single quotes. But single quotes are swallowed by perl to convert my variable names into literal values. So, I write stuff like this:

my $query = q{
SELECT licenseNumber, licenseeName
FROM sales
WHERE serialNumber = '} ;
$query .= $serialNumberReceived ;
$query .= q{'} ;

Is there not a more elegant way to do this??


Re: A Non-Kludgey way to Escape MySQL quotes in Pe

Posted by: scjessey
Posted on: 2006-07-11 09:53:00

In reply to:

Is there not a more elegant way to do this?

<sarcasm>Use PHP?</sarcasm>

Re: A Non-Kludgey way to Escape MySQL quotes in Pe

Posted by: Atropos7
Posted on: 2006-07-11 11:00:00

OK my sracastic answer is RTFM at Quote and Quote-like Operators

my $query = qq{
  SELECT licenseNumber, licenseeName
  FROM sales
  WHERE serialNumber = '$serialNumberReceived'
};

Now what is the difference? Duh, I used the qq operator so that the string will be interpolated for variables. Granted, this is equivalent to 

my $query = "
  SELECT licenseNumber, licenseeName
  FROM sales
  WHERE serialNumber = '$serialNumberReceived'
";


Except that with qq the string delimiter can be brackets or other characters, not just quotation mark.





cool Atropos | openvein.org

Re: A Non-Kludgey way to Escape MySQL quotes in Pe

Posted by: kchrist
Posted on: 2006-07-11 11:03:00

Use PHP?

You misspelled "Ruby".

Re: A Non-Kludgey way to Escape MySQL quotes in Pe

Posted by: jerrykrinock
Posted on: 2006-07-11 11:09:00

Very cool. Just use qq instead of quote. I was reading this:

http://www.perl.com/pub/a/1999/10/DBI.html

and found what I think is an even better way, which I just tested and works:

my $query = q{
SELECT licenseNumber, licenseeName
FROM sales
WHERE serialNumber = ?} ;

my $statementHandle = $databaseHandle->prepare($query) ;
# Error-handling code omitted

my $didExecute = $statementHandle->execute($serialNumberReceived) ;

Then, you can use any quote operator on the prepare, and the execute will never be fooled if the value contains the quote operator, since there is no quote operator!

It looks like you can handle multiple values by using (?, ?, ?) and then ($val1, $val2, $val3), but I haven't tried that yet.

Thanks!

Re: A Non-Kludgey way to Escape MySQL quotes in Pe

Posted by: guice
Posted on: 2006-07-11 11:59:00

Or you can just use the Database hander:

my $quoted = $dbh->quote($sql);

All Database API libraries will have an ability to quote strings built in. Use them.

Re: A Non-Kludgey way to Escape MySQL quotes in Pe

Posted by: iansealy
Posted on: 2006-07-11 12:09:00

In reply to:

All Database API libraries will have an ability to quote strings built in. Use them.

Definitely. Especially if $serialNumberReceived can be manipulated by users. If you don't know what SQL injection is then have a look at:

http://en.wikipedia.org/wiki/SQL_injection

Re: A Non-Kludgey way to Escape MySQL quotes in Pe

Posted by: scjessey
Posted on: 2006-07-11 18:55:00

In reply to:

You misspelled "Ruby".

What has curry got to do with anything?

Re: A Non-Kludgey way to Escape MySQL quotes in Pe

Posted by: kchrist
Posted on: 2006-07-17 11:32:00

What has curry got to do with anything?

Bravo!

Tags: quotesperlmysqlescapekeywordstuff