[Dbix-class] patch: escaping user input - cookbook example
Matt S Trout
dbix-class at trout.me.uk
Thu Feb 7 07:02:17 GMT 2008
On Wed, Feb 06, 2008 at 01:14:22PM +0000, Carl Franks wrote:
> On 06/02/2008, Matt S Trout <dbix-class at trout.me.uk> wrote:
> > On Wed, Feb 06, 2008 at 10:34:09AM +0000, Carl Franks wrote:
> > > Here's a minor patch to address an issue that I found a solution for
> > > in the list archives, but couldn't find in the docs anywhere.
> > >
> > > It's against http://dev.catalyst.perl.org/repos/bast/DBIx-Class/0.08/trunk
> > > if it should be against a different location and doesn't patch
> > > cleanly, let me know and I'll fix it.
> >
> > { name => { like => $query } }
> >
> > works for that.
>
> Did you maybe miss the leading and trailing '%' wildcards?
To simplify the example, yes.
The point is the bind => isn't needed at all.
if that's what you're tyrying to illustrate then pick an example that
actually needs the technique - if we accept a patch that used 'bind' for
LIKE people will (quite logically) assume you have to and never find the
easy way.
> I just tried changing my app to use your code, and a search for "o'r"
> no longer matched against "test o'reilly".
>
> The code example in my patch came from one of your list responses:
> http://www.mail-archive.com/dbix-class@lists.rawmode.org/msg03329.html
Which is in an order_by clause, not a where, and is a functional call, not
an operator (LIKE is an operator, it's just one with a \w+ name).
An example of -that- would be much appreciated.
Though I don't quite get why you called the example "escaping user input",
we bind the value parts of everything in where just the same way.
--
Matt S Trout Need help with your Catalyst or DBIx::Class project?
Technical Director http://www.shadowcat.co.uk/catalyst/
Shadowcat Systems Ltd. Want a managed development or deployment platform?
http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/
More information about the DBIx-Class
mailing list