| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
 | use strict;
use DBI;
use Test::More;
if (defined $ENV{DBI_DSN}) {
  plan tests => 9;
} else {
  plan skip_all => 'cannot test without DB info';
}
my $dbh = DBI->connect($ENV{DBI_DSN}, $ENV{DBI_USER}, $ENV{DBI_PASS},
		       {RaiseError => 1, AutoCommit => 0}
		      );
ok(defined $dbh,
   'connect with transaction'
  );
my $quo = $dbh->quote("\\'?:");
my $sth = $dbh->prepare(qq{
			INSERT INTO test (name) VALUES ($quo)
		       });
$sth->execute();
my $sql = <<SQL;
	SELECT name
	FROM test
	WHERE name = $quo;
SQL
$sth = $dbh->prepare($sql);
$sth->execute();
my ($retr) = $sth->fetchrow_array();
ok((defined($retr) && $retr eq "\\'?:"),
   'fetch'
  );
eval {
  local $dbh->{PrintError} = 0;
  $sth->execute('foo');
};
ok($@,
   'execute with one bind param where none expected'
  );
$sql = <<SQL;
       SELECT name
       FROM test
       WHERE name = ?
SQL
$sth = $dbh->prepare($sql);
$sth->execute("\\'?:");
($retr) = $sth->fetchrow_array();
ok((defined($retr) && $retr eq "\\'?:"),
   'execute with ? placeholder'
  );
$sql = <<SQL;
       SELECT name
       FROM test
       WHERE name = :1
SQL
$sth = $dbh->prepare($sql);
$sth->execute("\\'?:");
($retr) = $sth->fetchrow_array();
ok((defined($retr) && $retr eq "\\'?:"),
   'execute with :1 placeholder'
  );
$sql = <<SQL;
       SELECT name
       FROM test
       WHERE name = '?'
SQL
$sth = $dbh->prepare($sql);
eval {
  local $dbh->{PrintError} = 0;
  $sth->execute('foo');
};
ok($@,
   'execute with quoted ?'
  );
$sql = <<SQL;
       SELECT name
       FROM test
       WHERE name = ':1'
SQL
$sth = $dbh->prepare($sql);
eval {
  local $dbh->{PrintError} = 0;
  $sth->execute('foo');
};
ok($@,
   'execute with quoted :1'
  );
$sql = <<SQL;
       SELECT name
       FROM test
       WHERE name = '\\\\'
       AND name = '?'
SQL
$sth = $dbh->prepare($sql);
eval {
  local $dbh->{PrintError} = 0;
  local $sth->{PrintError} = 0;
  $sth->execute('foo');
};
ok($@,
   'execute with quoted ?'
  );
$sth->finish();
$dbh->rollback();
ok($dbh->disconnect(),
   'disconnect'
  );
 |