Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Don't quote the variables, use placeholders. It's much simpler, and it's safer.

$dbh->do( 'INSERT INTO movie_collection VALUES ( ?, ?, ... )', undef, @{ $data->{movie} }{@fields} );



  > knee-jerk reaction
Fixed that for you.


Sure. Where's the dbh coming from in this example though? And how do I get it out again nicely to print the SQL to the command line?


It doesn't exist in the example, which is only creating the INSERT statements, presumably to pipe into, e.g., the mysql command line client:

mysql -u user -p < inserts.sql

If the $dbh were in the example, then:

(a) you could avoid that (eek!) archaic escapeSingleQuote() sub, e.g., my $released = $dbh->quote($released), but much better:

(b) as mentioned, use the SQL placeholders to avoid quoting altogether, but

(c) if you really want to print the INSERT's, just do method (a). Start by declaring the $dbh, e.g. for MySQL:

my $dbh = DBI->new( 'DBI:mysql:my_db', 'db_user', 'db_pass');




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: