Perl
Perl's DBI, available on the CPAN, supports parameterized SQL calls. Both the do method and prepare method support parameters ("placeholders", as they call them) for most database drivers. For example:
$sth = $dbh->prepare("SELECT * FROM users WHERE email = ?");
foreach my $email (@emails) {
$sth->execute($email);
$row = $sth->fetchrow_hashref;
[...]
}
However, you can't use parameterization for identifiers (table names, column names) so you need to use DBI's quote_identifier() method for that:
# Make sure a table name we want to use is safe:
my $quoted_table_name = $dbh->quote_identifier($table_name);
# Assume @cols contains a list of column names you need to fetch:
my $cols = join ',', map { $dbh->quote_identifier($_) } @cols;
my $sth = $dbh->prepare("SELECT $cols FROM $quoted_table_name ...");
You could also avoid writing SQL by hand by using DBIx::Class, SQL::Abstract etc to generate your SQL for you programmatically.
To do
Explain Perl's taint mode and how DBI supports taint mode, both inbound and outbound.
