Scalar refs for calling SQL functions avoiding quoting/placeholders

[bigpresh]

Currently, all values passed to quick_insert / quick_update are handled using placeholders, which means you can't call SQL functions - for instance:

 database->quick_insert('log', { datetime => "DATETIME('now')", msg => $msg });

... will not work, because you can't use function calls as parameter values.

It should be possible to provide scalar refs as values, to indicate that the value should be used in the query verbatim, for instance:

database->quick_insert('log', { datetime => \"DATETIME('now')", msg => $msg });

It should of course be clearly documented that this means the value you pass is used verbatim, so incorrect use of it can lead to SQL injection vulnerabilities - for example:

# Horribly wrong:
database->quick_insert('log', { foo => \$bar });

... if $bar came from untrusted input, you have an SQL injection vulnerability right there.

The other alternative implementation would be passing a hashref containing the value and a quote option, e.g.:

database->quick_insert('foo', { datetime => { value => "DATETIME('now')", quote => 0 } ... });

A simple scalar reference is probably easier, though.

[ambs]

Another option would be to use some prefix to the field name:

database->quick_insert("tbl', { +datetime => "DATETIME('now')" } );

I do not think many users use this kind of field name in a database. If there is any engine at all supporting it. And of course, who says to use a plus, says you can use any other strange symbol you would like.

And of course, still possible to do SQL injection. :-)