Thread: stored queries and quoted strings

stored queries and quoted strings

From

"filippo"

Date:

02 April 2007, 14:15:26

Hello,

I have a strange problem with stored queries like this

  $sql = qq/
         SELECT city, country
         FROM countries
         WHERE city LIKE ?
         ORDER BY city
           /;
  $sthCity= $dbh->prepare($sql);
  my $tempCity = $dbh->quote("n%");
  $sthCity->execute($tempCity);
  my $result = $sthCity->fetchall_arrayref;

the query doesn't return any value. It works only if I remove the -
>quote(). The following code actually works retuning all cities with
their name n-something

  my $tempCity = "n%";
  $sthCity->execute($tempCity);
  my $result = $sthCity->fetchall_arrayref;

bu I'm a little bit worried to use a a WHERE statement without quoting
the search pattern (input by user). Is it a problem or not?

Thanks,

Filippo

Re: stored queries and quoted strings

From

Ragnar

Date:

02 April 2007, 14:39:19

On fös, 2007-03-30 at 00:31 -0700, filippo wrote:
> Hello,
>
> I have a strange problem with stored queries like this
>
>   $sql = qq/
>          SELECT city, country
>          FROM countries
>          WHERE city LIKE ?
>          ORDER BY city
>            /;
>   $sthCity= $dbh->prepare($sql);
>   my $tempCity = $dbh->quote("n%");
>   $sthCity->execute($tempCity);

> the query doesn't return any value. It works only if I remove the -
> >quote().

you do not have to use quote() on the parameters of a prepared
statement, as this is already done for you.

gnari