#5 DBI not used in recommenede way
Hi,
In the dbengine code, I repeatedly see the following
type of query code:
$comm = "SELECT * FROM $table WHERE $uniqOID='$oid'";
$result = $dbconn->prepare($comm) ;
$result->execute;
This is not recommended practice. The way this should
be coded is (unless you have some good reason not to):
$comm = "SELECT * FROM ? WHERE $uniqOID=?";
$result = $dbconn->prepare($comm) ;
$result->execute($table,$oid);
The DBD then makes substitutions for $table and $oid,
but it handles quotes and other strange characters
correctly.
By not using the placeholders ('?') correctly, you open
yourself up to bugs or security problems which may
occur because of tablenames with weird characters in
them (because simple perl substitution is not
appropriate). Also, using the placeholders correctly
may result in a speed improvement of dbengine, and
fewer strange unexplainable bugs.
Just a recommendation. Would somebody like me to make
these changes to have them integrated into the source?
