[Israel.pm] DBI

Shlomi Fish shlomif at iglu.org.il
Mon Nov 1 01:30:14 PDT 2010


On Sunday 31 October 2010 14:42:17 Meir Guttman wrote:
> My dear shlomi,
> 
> OK, and how would you use placeholders to pass the following (My)SQL query?
> 
> LOAD DATA INFILE myLDIfile.tsv
> 
> INTO TABLE tbl_name
> 
> COLUMNS TERMINATED BY '\t' OPTIONALLY ENCLOSED BY "'" ESCAPED BY '\\'
> 
> LINES TERMINATED BY '\r\n'
> 

I don't see why this query requires placeholders or passing data in the first 
place. A here-document will do fine in this case. And you may be able to say:

[query]
LOAD DATA INFILE ?

INTO TABLE tbl_name

COLUMNS TERMINATED BY '\t' OPTIONALLY ENCLOSED BY "'" ESCAPED BY '\\'

LINES TERMINATED BY '\r\n'
[/query]

Assuming you want to mutate INFILE.

Furthermore I was talking about the general case - I don't rule out that there 
are exceptions (including this MySQL specific one), but we should recommend 
people to use placeholders instead of $dbh->quote normally.

By the way, for further enlightenment regarding SQL injection attacks, see:

* http://en.wikipedia.org/wiki/SQL_injection

* http://bobby-tables.com/

* http://community.livejournal.com/shlomif_tech/35301.html

Regards,

	Shlomi Fish

-- 
-----------------------------------------------------------------
Shlomi Fish       http://www.shlomifish.org/
"Star Trek: We, the Living Dead" - http://shlom.in/st-wtld

<rindolf> She's a hot chick. But she smokes.
<go|dfish> She can smoke as long as she's smokin'.

Please reply to list if it's a mailing list post - http://shlom.in/reply .


More information about the Perl mailing list