[Dbix-class] Escaping placeholders
tim.bunce at pobox.com
Sun Dec 21 13:31:47 GMT 2014
On Sun, Dec 21, 2014 at 10:27:18AM +0100, peter at vanroose.be wrote:
> On 20.12.2014 15:38, Tim Bunce wrote:
> > [...]
> > Can you, or anyone else, think of any situation where a backslash before
> > a ? or :foo (or even $1) style placeholder might be valid SQL?
> Inside quoted text: of course, yes.
> Outside quoted text: maybe some RDBMS accept a backslash as a valid character
> in the name of a table or column? (Haven't tried this out yet.)
> At least make sure "\?" will not be handled as placeholder inside column name
> quoting, as in e.g.
> "foo \? bar"
That's standard identifier quoting so should be ignored by the driver
for the same reason that single quoted strings are.
> or in
> [foo \? bar]
> with SQL Server, or
> `foo \? bar`
> for MySQL.
For databases that support those non-standard identifier quoting styles
the driver should be treating them as strings and so skipping them anyway.
> But my fear is that even
> would be accepted as valid column or table name by some RDBMS...
I find that very hard to believe without any evidence.
Even if true, the driver for such a database would, I presume,
treat that ? as a placeholder and so it would already be broken.
More information about the DBIx-Class