[Dbix-class] escape char support
Daniel Westermann-Clark
dwc at pobox.com
Sun Sep 24 04:38:51 CEST 2006
On 2006-09-23 22:18:35 +0200, Bernhard Graf wrote:
> my $esc = $c->model('DB::Table')->result_source->schema->storage->dbh->get_info(14);
> my $input = $c->request->params->{input}
> $input =~ s/([_%])/$esc$1/g;
>
> Not very pretty, but always needed, where user input from external
> sources is used inside SQL queries.
Well, sure, if you're building SQL strings yourself. But DBIx::Class
uses placeholders and bind variables unless explicitly told not to
(NoBindVars), and even then makes a decent attempt to quote the values
via the dbh.
That doesn't mean you shouldn't validate user input, but that's more
about saying what's allowed than trying to prevent everything invalid.
--
Daniel Westermann-Clark
More information about the Dbix-class
mailing list