DBI, MySQL and apostrophes

T

Tomasz Chmielewski

Let's assume I have this code which inserts some values into a MySQL
database:


my $var = "Jake's cake";
$SQL = "INSERT INTO `recipes` (`name`, `stat`) VALUES ('$var', 'ok')";
$my_db->do($SQL) or die "Error!\n";


Executing this will render an error:

DBD::mysql::db do failed: You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 's cake', 'ok')' at line 1 at my_script.pl line 77.
Error!

Obviously, it breaks because of an apostrophe in $var variable.

What are the ways to get around this issue?

I could prepend each apostrophe with a backslash:

$var =~ s/'/\\'/;

But I'm not sure if it's the right way to do this.

Are there any "better" approaches?
 
X

xhoster

Tomasz Chmielewski said:
Let's assume I have this code which inserts some values into a MySQL
database:

my $var = "Jake's cake";
$SQL = "INSERT INTO `recipes` (`name`, `stat`) VALUES ('$var', 'ok')";
$my_db->do($SQL) or die "Error!\n";

Executing this will render an error:

DBD::mysql::db do failed: You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 's cake', 'ok')' at line 1 at my_script.pl line 77.
Error!

Obviously, it breaks because of an apostrophe in $var variable.

What are the ways to get around this issue?
Click to expand...

In my opinion, the only sane way to deal with this is to use
placeholder/bind variables.

$SQL = "INSERT INTO recipes (name, stat) VALUES (?, 'ok')";
$my_db->do($SQL,undef,$var) or die "Error!\n";

Xho

--
-------------------- http://NewsReader.Com/ --------------------
The costs of publication of this article were defrayed in part by the
payment of page charges. This article must therefore be hereby marked
advertisement in accordance with 18 U.S.C. Section 1734 solely to indicate
this fact.
 
B

Ben Morrow

Quoth Tomasz Chmielewski said:
Let's assume I have this code which inserts some values into a MySQL
database:


my $var = "Jake's cake";
$SQL = "INSERT INTO `recipes` (`name`, `stat`) VALUES ('$var', 'ok')";
$my_db->do($SQL) or die "Error!\n";


Executing this will render an error:

DBD::mysql::db do failed: You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 's cake', 'ok')' at line 1 at my_script.pl line 77.
Error!

Obviously, it breaks because of an apostrophe in $var variable.

What are the ways to get around this issue?
Click to expand...

See 'Placeholders and Bind Values' in perldoc DBI.

Ben
 
M

Martijn Lievaart

I could prepend each apostrophe with a backslash:

$var =~ s/'/\\'/;

But I'm not sure if it's the right way to do this.

Are there any "better" approaches?
Click to expand...

Just drop the apostrophes, they are not needed.

Besides, use DBI variable binding. What if $var contained "');delete from
users;"? Well actually that will not work with DBI, but interpolating
variables in SQL queries is a bad idea and has to be done very carefully.
Variable binding is the easy way to get it right.

The following should work (untested and error handling omitted):

my $var = "Jake's cake";
$SQL = "INSERT INTO recipes (name, stat) VALUES (?, 'ok')";
my $sth = $my_db->prepare($SQL);
$sth->execute($var);

HTH,
M4
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Survey details won't go through using php, ajax, Mysql 0
Text::CSV and Mysql 2
DBI problems 4
Insert NULL into mySQL datetime 3
Problem installing DBI 2
DBI 11
mysql update with ruby + dbi 1
DBI: adding columns to table 9

Members online

Total: 93 (members: 1, guests: 92)
Robots: 416

Forum statistics

Threads
473,995
Messages
2,570,236
Members
46,821
Latest member
AleidaSchi

Latest Threads

Top