Vivek Khera writes:
> On Dec 6, 2004, at 5:55 PM, Larry Leszczynski wrote:
>
>> Thanks for the idea Harald! I had previously tried using eval but
>> without
>> success. It now works using the following:
>>
>> [%
>> sth = DBI.prepare(query);
>> params_list = "'" _ bind_params.join("','") _ "'";
>> "[% rows = sth.execute($params_list) %" _ "]" FILTER eval;
>> FOREACH row IN rows;
>> ...do stuff...
>> END;
>> -%]
>
> I hope your bind_params have no funky SQL characters in them,
> especially single quotes. You really should call the DBI's quote()
> method on each value, then join that result with just a comma.
I admit that I've been too lazy to prepare a sample with DBI and that
I've been sloppy in quoting.
However, I'd doubt that DBI's quote method Does The Right Thing in
this case. It does SQL-compliant escaping, typically by replacing
q(a'b) with q('a''b'). But TT2 isn't SQL when it comes to parsing.
I've just tested it: TT2's parser converts q('a''b') to two separate
parameters 'a' and 'b'. So, if you have funky SQL characters, you'd
*really* better wait for TT3 :-)
--
Cheers,
haj
_______________________________________________
templates mailing list
[EMAIL PROTECTED]
http://lists.template-toolkit.org/mailman/listinfo/templates
