Re: Perl DBI and placeheld values

At 10:30 PM 1/29/03 +0000, Nigel J. Andrews wrote:

>psql> create table mytab ( thetime timestamptz );
>
>perl:
>         $sth = $dbh->prepare('insert into mytab values ( ? )');
>         $sth->execute($thetime);
>
>where $thetime could hold 2003-01-29 13:45:06+00 _or_ current_timestamp.

>So just how do others manage this situation without resorting to special
>casing
>everything?

I use 'now' instead of current_timestamp. Despite current_timestamp being
the SQL standard, I figure 'now' is the way to go. Based on recent posts I
gather that the developers have no plans to break that, so it'll be fine to
use it.

Naturally it doesn't work if the field type is text.

Loosely looking for current_timestamp and then not filtering can be
dangerous in uncontrolled environments. e.g. webapps - users could put
current_timestamp in a cgi parameter followed by not so nice SQL.

I suggest you put the functions and stuff in the main SQL, and leave the
placeholders for the data/variables. That way the changeable stuff gets
quoted, and the static stuff is known to be safe.

Hope this helps,
Link.