I’ve got the code below that works but I need to know how to

Question

0

Asked: May 30, 20262026-05-30T20:09:29+00:00 2026-05-30T20:09:29+00:00

I’ve got the code below that works but I need to know how to

0

I’ve got the code below that works but I need to know how to bind them for security. If I just replace $new_row with ? and put it in execute I get an error. Thanks for your help.

foreach my $field (@account_field_order) {
$new_row .= "'" . param($field) . "', ";
}#foreach
$new_row .= "'$status'";
my $dsn = "DBI:mysql:$database";
my $dbh = DBI->connect($dsn, $MYSQLuserid, $MYSQLpassword ) 
          or die $DBI::errstr;
my $sth = $dbh->prepare(qq(INSERT INTO $table VALUES ($new_row) )) or die $DBI::errstr;
$sth->execute() or die $DBI::errstr;

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-30T20:09:30+00:00

You will want to use placeholders, and never interpolate variables in strings. You should probably use taint mode and de-taint your param values before using them, if safety is important to you. Documentation on placeholders here.

Try something like:

my @values = map param($_), @account_field_order; # add values to array
push @values, $status;                  # for simplicity
$new_row = join ", ", ("?") x @values;  # add ? for each value

... # basically same code as before, except the execute statement:

$sth->execute(@values);      # arguments given will be inserted at placeholders

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’ve got the code below that works but I need to know how to

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply