On Fri, Jul 02, 2004 at 02:29:49PM -0400, Jesse Guardiani wrote:
> Is it possible to provide values to the
> execute function WITHOUT them being
> automatically escaped?
> I'd like to insert raw SQL code.
No, this is not possible, and for good reason.
The methodology behind DBI is to separate out the "preparation" phase
from the "execution" phase.
On databases where this is supported (eg. later versions of
PostgreSQL, Informix and possibly Oracle), during the "preparation"
phase, the SQL is evaluated and optimized. During the "execution"
phase, constant values are substituted for each placeholder, and the
pre-optimized statement is then executed. If you were allowed to
insert raw SQL during the execution stage, then preparation would not
Also, it can be a big security hole to inject arbitrary SQL into
statements (if it comes from a source outside your control, such as
If you want to build statements, then you need to call '#prepare', or
preferably '#prepare_cached' on the SQL string that you've built.
Richard Jones. http://www.annexia.org/ http://www.j-london.com/
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
Perl4Caml lets you use any Perl library in your type-safe Objective
CAML programs. http://www.merjis.com/developers/perl4caml/