在Perl中转义单引号

Question

I have the following code:

my $body = $in{'article'};

Here is my database insertion code:

my $stmt = $db->prepare("insert into news_articles (createdate, userid, status, title, inline, content, attribution, pending) values(unix_timestamp(), $user->{'uid'}, 0, '$title', '$pullquote', '$body', '$attr', 0)");

It seems to fail when i have a single quote inside the $body variable.

I've tried escaping it using:

$body = $db->quote($body);

And also:

$body = qq($body);

I'm very new to Perl, but how can I safely escape single quotes prior to the insertion?

Answer 1

$body = $db->quote($body) is the correct way to do this, but note that the quote method also adds the outer quotation marks, so you would use just $body in your SQL statement instead of '$body'

However, using prepare together with placeholders is by far the best method all-round. It supplies the necessary quoting for you, and also allows a prepared statement to be reused several times with different execute parameters

I find here documents useful for writing SQL statements with some layout so that they are readable. Your code would look like this

my $body = $in{article};

my $stmt = $db->prepare(<<END_SQL);
INSERT INTO news_articles (createdate, userid, status, title, inline, content, attribution, pending)
VALUES (UNIX_TIMESTAMP(), ?, ?, ?, ?, ?, ?, ?)
END_SQL

$stmt->execute($user->{'uid'}, 0, $title, $pullquote, $body, $attr, 0);