id summary reporter owner description type status priority milestone version resolution keywords cc 34 SQL cleanup - use DBI ? substitutions, move all SQL into IPDB.pm Kris Deugau "Much of the SQL currently uses: {{{ $sth = $dbh->prepare(""INSERT INTO table (cols) values ('$literal1','$literal2')""); $sth->execute; }}} instead of: {{{ $sth = $dbh->prepare(""INSERT INTO table (cols) values (?,?)""); $sth->execute($literal1, $literal2); }}} Switching to CGI::Simple (#15) is exposing several places where this is problematic. This is also something of an SQL-injection security issue - using DBI's parameter replacement means that user data goes right into the table, instead of munging the SQL (deliberately or otherwise)." defect closed major 2.8 fixed