[Dbix-class] Proper way to escape underscores in DBIC (DBI 101, sorry)

Matt S Trout dbix-class at trout.me.uk
Fri Oct 13 20:15:03 CEST 2006


On 13 Oct 2006, at 13:36, Ash Berlin wrote:

> Jules Bean wrote:
>> apv wrote:
>>
>>> I want/need to escape underscores so that simple searches can't be
>>> "hacked" by users, accidentally or intentionally. The DBI doc shows
>>> this as the way to do it:
>>>
>>>    $esc = $dbh->get_info( 14 );  # SQL_SEARCH_PATTERN_ESCAPE
>>>    $search_pattern =~ s/([_%])/$esc$1/g;
>>>
>>> Where/how should I do it in (a Catalyst app that's doing)  
>>> searches with
>>> DBIC? I'm interested in overriding it for *all* user facing searches
>>> since users should only be allowed to supply literal chars.
>>>
>>>
>>
>>
>> Don't use LIKE?
>>
>> _% are only special in the context of a LIKE query.
>>
>> Jules
> c.f 'search' and 'search_like'
>

search_like considered harmful.

-- 
Matt S Trout, Technical Director, Shadowcat Systems Ltd.
Offering custom development, consultancy and support contracts for  
Catalyst,
DBIx::Class and BAST. Contact mst (at) shadowcatsystems.co.uk for  
details.
+ Help us build a better perl ORM: http://dbix- 
class.shadowcatsystems.co.uk/ +





More information about the Dbix-class mailing list