On Fri, May 27, 2005 at 10:25:52 -0700,
operationsengineer1@yahoo.com wrote:
>
> bruno and all... what are bind parameters? how can i
> avoid building sql from user input when my sql depends
> on user input?
You leave place holders in the SQL string to be replaced by parameters
passed separately. You don't need to do any escaping of the parameters
when passed this way.
Here is a snipet of perl code that does this:
$rows = $dbh->do(<<'EOF',
INSERT INTO detail (day, amount, comment, category, cat_type)
SELECT ?, ?, ?, id, cat_type FROM category WHERE id = ?
EOF
{}, param('day'), param('amount'), param('comment'), param('category'));