From: Harald Fuchs <[EMAIL PROTECTED]>
> In article <[EMAIL PROTECTED]>,
> Kamran <[EMAIL PROTECTED]> writes:
>
> > Hello Jeff,
> > Thanks a lot for your help. It worked, but there is a slight
> > adjustment. Note below:
>
>
> > my $QRYstring = "select * from $tablename where id IN (" . join (","
> > , @ids) . ")" ;
>
> > I mean , join needed brackets as well. Other wise only last record
> > was being matched or (NOT matched) based on the use of NOT in the
> > outer query.
>
> > Thanks again for your help.
>
> > And thank you all for taking out time for this.
>
> Please note that all suggestions posted are susceptible to SQL
> injection attacks. This means that your database can get damaged if
> @ids comes from an external source. A safe (albeit clumsy)
> alternative would be
>
> my $sth = $dbh->prepare (q{
> SELECT id, str
> FROM tbl
> WHERE id NOT IN (
> } . join (',', '?' x @ids) . q{
> )
> });
>
> $sth->execute (@ids);
You are right. In this case I think untainting the data (making sure
it's just positive integers and nothing more) would be better:
die "A possible SQL Injection attack!\n"
if (grep /[^0-9]/, @ids);
Jenda
===== [EMAIL PROTECTED] === http://Jenda.Krynicky.cz =====
When it comes to wine, women and song, wizards are allowed
to get drunk and croon as much as they like.
-- Terry Pratchett in Sourcery
