[Dbix-class] escape char support
Bernhard Graf
dbic1 at augensalat.de
Sun Sep 24 14:14:48 CEST 2006
Daniel Westermann-Clark wrote:
> On 2006-09-23 22:18:35 +0200, Bernhard Graf wrote:
> > my $esc =
> > $c->model('DB::Table')->result_source->schema->storage->dbh->get_in
> >fo(14); my $input = $c->request->params->{input}
> > $input =~ s/([_%])/$esc$1/g;
> >
> > Not very pretty, but always needed, where user input from external
> > sources is used inside SQL queries.
This statement let to confusion I guess. Of course this is only valid
for "SELECT ... WHERE ... LIKE" queries.
> Well, sure, if you're building SQL strings yourself. But DBIx::Class
> uses placeholders and bind variables unless explicitly told not to
> (NoBindVars), and even then makes a decent attempt to quote the
> values via the dbh.
What you mean is escaping quotes. I mean escaping wildchars.
Example:
Think of a search function. You enter a string. The application pre- and
appends "%" to it:
$search = '%' . $c->request->params->{input} . '%';
That string is then used in a query with LIKE.
But since the user might search for something that contains "_" or "%"
these characters must be escaped.
I always disliked the DBI-way to determine the escape character
$esc = $dbh->get_info(14)
but
$c->model('DB::Table')->result_source->schema->storage->dbh->get_info(14)
is much worse.
--
Bernhard Graf
More information about the Dbix-class
mailing list