Open bigpresh opened 12 years ago
Another option would be to use some prefix to the field name:
database->quick_insert("tbl', { +datetime => "DATETIME('now')" } );
I do not think many users use this kind of field name in a database. If there is any engine at all supporting it. And of course, who says to use a plus, says you can use any other strange symbol you would like.
And of course, still possible to do SQL injection. :-)
Currently, all values passed to
quick_insert
/quick_update
are handled using placeholders, which means you can't call SQL functions - for instance:... will not work, because you can't use function calls as parameter values.
It should be possible to provide scalar refs as values, to indicate that the value should be used in the query verbatim, for instance:
It should of course be clearly documented that this means the value you pass is used verbatim, so incorrect use of it can lead to SQL injection vulnerabilities - for example:
... if
$bar
came from untrusted input, you have an SQL injection vulnerability right there.The other alternative implementation would be passing a hashref containing the value and a
quote
option, e.g.:A simple scalar reference is probably easier, though.