Re: escape single quote in INSERT command

From: Scott Lamb <slamb(at)slamb(dot)org>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: escape single quote in INSERT command
Date: 2002-11-27 16:08:38
Message-ID: 3DE4EE06.7050206@slamb.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hunter wrote:
> Hi Group -
>
> I have a perl application for a registration form. I'd like to put
> escape characters in my insert command to accommodate for '
> (i.e. O'Brien, O'Malley, etc). I've tired double quotes, single
> quotes, back tick, forward ticks, curly bracket, round brackets - no
> success.

The SQL standard in literals is to quote with another single quote (like
'O''Brien'). Not sure why that didn't work for you. But PostgreSQL also
escapes with backslashes ('O\'Brien'), so they also must be escaped
('c:\\winnt'). SQL-92 doesn't. So there's no database-independent way to
quote things 100% correctly.

So don't quote it manually. Either do (preferred)

my $sth = $dbh->prepare(qq{insert into mytable values (?, ?, ?)});
$sth->execute($a, $b, $c);

or

$dbh->do(sprintf("insert into mytable values (%s, %s, %s)",
$dbh->quote($a), $dbh->quote($b),
$dbh->quote($c)));

The first way is better because:

- you don't have to explicitly think about quoting; it takes care of it
- it can use server-side prepared statements for more goodness

The second way, though, at least quotes things correctly. You need to
use $dbh->quote() to do that because quoting is database-specific, as I
mentioned above.

Both ways map Perl undef -> null for you.

Scott

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2002-11-27 16:15:58 Re: FreeBSD, Linux: select, select count(*) performance
Previous Message Tom Lane 2002-11-27 15:59:52 Re: Mailing list question