Hardy,
thx's I think this maybe exactly what we were looking for, but currently do not utilize transactions in our coding. Is there another preferred way to do about the same thing without using transactions ??
thx's
FWIW, you should be using transactions, esp for a Billing System. If not, I hope youre debiting my account only at the very end ;-) or crediting me at the beginning :-D
And use placeholders. There are lots of stories about how web forms/fields are string-catted together to build an SQL statement, exposing the statement to vicious (but deserved?) hacks.
Heres an off the cuff (and probably incorrect) example.
$sql = "select x, y, $usercol from T where ...."
now interpolate $usercol = 'z from SecretTable; drop table T; select x, y';
The string has 3 separate commands in it, just by user typing in ';' whether or not the 2nd, 3rd run or not is unimportant.
In fact theyd be doing your boss a favor by leaving tracks. You on other hand, might be looking for new work.
Now DBI may protect you from some of this - many more with placeholders,
which give nice things like efficiency, autoquoting, (and on some DBs)
column type determination, parsing before data is involved, early errors, etc.
