Re: [Templates] Passing a list to DBI execute? (solved)

> On Dec 6, 2004, at 5:55 PM, Larry Leszczynski wrote:

Vivek Khera writes:

> On Dec 6, 2004, at 5:55 PM, Larry Leszczynski wrote:
>
>> Thanks for the idea Harald!  I had previously tried using eval but
>> without
>> success.  It now works using the following:
>>
>>    [%
>>       sth  = DBI.prepare(query);
>>       params_list = "'" _ bind_params.join("','") _ "'";
>>       "[% rows = sth.execute($params_list) %" _ "]" FILTER eval;
>>       FOREACH row IN rows;
>>          ...do stuff...
>>       END;
>>    -%]
>
> I hope your bind_params have no funky SQL characters in them,
> especially single quotes.  You really should call the DBI's quote()
> method on each value, then join that result with just a comma.

I admit that I've been too lazy to prepare a sample with DBI and that
I've been sloppy in quoting.

However, I'd doubt that DBI's quote method Does The Right Thing in
this case.  It does SQL-compliant escaping, typically by replacing
q(a'b) with q('a''b').  But TT2 isn't SQL when it comes to parsing.

I've just tested it: TT2's parser converts q('a''b') to two separate
parameters 'a' and 'b'.  So, if you have funky SQL characters, you'd
*really* better wait for TT3 :-)
        -- 
        Cheers,
haj

_______________________________________________
templates mailing list
templates@xxxxxxxxxxxxxxxx.xxx
http://lists.template-toolkit.org/mailman/listinfo/templates