[Dbix-class] Proper way to escape underscores in DBIC (DBI 101, sorry)
Matt S Trout
dbix-class at trout.me.uk
Fri Oct 13 20:15:03 CEST 2006
On 13 Oct 2006, at 13:36, Ash Berlin wrote:
> Jules Bean wrote:
>> apv wrote:
>>
>>> I want/need to escape underscores so that simple searches can't be
>>> "hacked" by users, accidentally or intentionally. The DBI doc shows
>>> this as the way to do it:
>>>
>>> $esc = $dbh->get_info( 14 ); # SQL_SEARCH_PATTERN_ESCAPE
>>> $search_pattern =~ s/([_%])/$esc$1/g;
>>>
>>> Where/how should I do it in (a Catalyst app that's doing)
>>> searches with
>>> DBIC? I'm interested in overriding it for *all* user facing searches
>>> since users should only be allowed to supply literal chars.
>>>
>>>
>>
>>
>> Don't use LIKE?
>>
>> _% are only special in the context of a LIKE query.
>>
>> Jules
> c.f 'search' and 'search_like'
>
search_like considered harmful.
--
Matt S Trout, Technical Director, Shadowcat Systems Ltd.
Offering custom development, consultancy and support contracts for
Catalyst,
DBIx::Class and BAST. Contact mst (at) shadowcatsystems.co.uk for
details.
+ Help us build a better perl ORM: http://dbix-
class.shadowcatsystems.co.uk/ +
More information about the Dbix-class
mailing list