On 12/30/2011 12:30 PM, Igor Dovgiy wrote:
Hi Mark,
If your variables are strictly internal and by no means might be ever
tainted (read: user input), what you're doing is mostly ok.
But you need to quote the dates passed within query itself, like this:
my $sql = qq/SELECT * FROM `events` WHERE `date` BETWEEN '$begin_time'
AND '$end_time'/;
/(qq, of course, not q: you'd like your variables to be interpolated,
would you? :)/
Yeah, true. I missed that part.
But there's another (and in my opinion, usually better) way: using
prepared sql statement:
my $sth = $dbh->prepare(q/
SELECT * FROM `events` WHERE `date` BETWEEN ? AND ?
/);
$sth->execute($begin_time, $end_time);
I can certainly do it this way, however, my ultimate goal is to have
these variables passed via a web form and since I'm still getting my
feet wet with using perl to a MySQL database exclusively (I can do SQL
very well, but never inside perl) I am taking baby steps.
This method is safer, but a little (or not, depending on driver and DB
used) bit slower than direct queries.
Have to say that I usually prefer even simpler DBI methods, like
selectall_arrayref, combining the power of `prepare`, `execute` and
`fetch` methods in one statement. But that's a matter of taste, I guess. )
-- iD
P.S. BTW, if you want to know the reason why particular SQL query
fails, just call errstr method of your DBI object (like $dbh->errstr)
- and print the result. )
