If you pass into SQL query something assigned by user, use placeholders by all means. ) It's not that hard, but it'll save you a lot of headaches, believe me. )
2011/12/30 Mark Haney <ma...@abemblem.com> > But there's another (and in my opinion, usually better) way: using > prepared sql statement: > my $sth = $dbh->prepare(q/ > SELECT * FROM `events` WHERE `date` BETWEEN ? AND ? > /); > $sth->execute($begin_time, $end_time); > > > I can certainly do it this way, however, my ultimate goal is to have these > variables passed via a web form and since I'm still getting my feet wet > with using perl to a MySQL database exclusively (I can do SQL very well, > but never inside perl) I am taking baby steps. > >
