MySQL Forums
Forum List  »  Perl

Escaping input values, bind params (DBI)
Posted by: Robert Waters
Date: January 17, 2009 05:26PM

I have a perl script that takes data from an OCR'd file and inserts it into a LONGTEXT field in a MyISAM table (with a FULLTEXT index).
I need to make sure that I am escaping the data from these files properly.
Previously, I had been using code like this:
open FH, "<file";
binmode FH;
$string = join("", <FH>);
$string =~ s/\\/\\\\/g ; # backslashes (we escape this first)
$string =~ s/\0//g; # An ASCII 0 (NUL) character.
$string =~ s/\'/\\\'/g; # single quotes
$string =~ s/\"/\\\"/g; # double quotes
$string =~ s/\b/\\b/g; # backspace
$string =~ s/\n/\\n/g; # newline
$string =~ s/\r/\\r/g; # carriage return
$string =~ s/\t/\\t/g; # tab

It worked, as far as I could tell.

However, I was just reading up on DBI and found that if you bind data to a parameter in a prepared query, then you do not need to escape any of that data.
"The database driver will escape the parameters correctly in the bind_param() method"
This *seems* to work. Unfortunately I am dealing with massive quantities of data and cannot check everything, so I would like to ask if anyone on this forum has similar experience, and if so, what did you do?

Thanks for your help!
Robert Waters

Note that there is a quasi-cross-post on the Newbie forum, but there I am asking a non-perl related question. Please no flames.

Options: ReplyQuote

Written By
Escaping input values, bind params (DBI)
January 17, 2009 05:26PM

Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.