Skip Menu |

This queue is for tickets about the DBD-Sybase CPAN distribution.

Report information
The Basics
Id: 60096
Status: open
Priority: 0/
Queue: DBD-Sybase
People
Owner: mpeppler [...] peppler.org
Requestors: DNichols [...] kgptel.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Aug 04 20:19:14 2010 DNichols [...] kgptel.com - Ticket created
CC: "bug-DBD-Sybase [...] rt.cpan.org" <bug-DBD-Sybase [...] rt.cpan.org>
Subject: client-side placeholders in DBD::Sybase prepared statements
Date: Wed, 4 Aug 2010 19:19:04 -0500
To: "mpeppler [...] peppler.org" <mpeppler [...] peppler.org>
From: "Nicol, David" <DNichols [...] kgptel.com>
Please enjoy the attached file. I do not know how severely it violates DBD coding standards. I imagine a similar approach could be provided more elegantly where placeholders are currently translated into TSQL stored procedures, instead of at the top of the existing prepare method. The following now DWIW, which is to have the rows method work after running an UPDATE prepared with placeholders. print "STATEMENT WITH INLINE DATA:\n"; my $sth = $dbh->prepare(<<UPDATE3); update dln_demotable set first = 'Z' where second < 'd' UPDATE3 print "updating three rows, got result: ".$sth->execute()."\n"; print "rows method tells us: ",$sth->rows()."\n"; print "STATEMENT WITH PLACEHOLDER:\n"; my $sth = $dbh->prepare(<<UPDATE3); update dln_demotable set first = 'X' where second < ? UPDATE3 print "updating three rows, got result: ".$sth->execute('d')."\n"; print "rows method tells us: ",$sth->rows()."\n";

Message body is not shown because sender requested not to inline it.

  Mon Apr 25 11:15:26 2011 mpeppler [...] peppler.org - Taken
  Mon Apr 25 11:18:26 2011 mpeppler [...] peppler.org - Correspondence added
On Wed Aug 04 20:19:14 2010, DNichols@kgptel.com wrote: Show quoted text
> Please enjoy the attached file. I do not know how severely it violates > DBD coding standards. I imagine a similar approach could be > provided more elegantly where placeholders are currently translated > into TSQL stored procedures, instead of at the top of the existing > prepare method. The following now DWIW, which is to have the rows > method work after running an UPDATE prepared with placeholders.
(sorry for the delay...) Thanks. How do you handle issue such as quoting, possible SQL injection, etc? Also, by using this we lose the speed advantage of having the prepared statement on the server side - are the advantages worth the disadvantages? Michael
  Mon Apr 25 11:18:27 2011 The RT System itself - Status changed from 'new' to 'open'
  Mon Apr 25 13:43:12 2011 DNichols [...] kgptel.com - Correspondence added
Subject: RE: [rt.cpan.org #60096] client-side placeholders in DBD::Sybase prepared statements
Date: Mon, 25 Apr 2011 12:43:02 -0500
To: "bug-DBD-Sybase [...] rt.cpan.org" <bug-DBD-Sybase [...] rt.cpan.org>
From: "Nicol, David" <DNichols [...] kgptel.com>
IIRC there's a map {$dbh->quote($_)} ... run over the arguments to handle quoting/injection issues. And regarding the speed/ease tradeoff, except in unusual situations, anymore, ease wins. Dave Show quoted text
> Regarding speed/ease issues, with modern hardware, ease wins. > How do you handle issue such as quoting, possible SQL injection, etc? > Also, by using this we lose the speed advantage of having the prepared > statement on the server side - are the advantages worth the disadvantages? > > Michael