[Dbix-class] patch: escaping user input - cookbook example

Jonathan Rockway jon at jrock.us
Thu Feb 7 07:33:22 GMT 2008


* On Thu, Feb 07 2008, Matt S Trout wrote:
> On Wed, Feb 06, 2008 at 01:14:22PM +0000, Carl Franks wrote:
>> On 06/02/2008, Matt S Trout <dbix-class at trout.me.uk> wrote:
>> > On Wed, Feb 06, 2008 at 10:34:09AM +0000, Carl Franks wrote:
>> > > Here's a minor patch to address an issue that I found a solution for
>> > > in the list archives, but couldn't find in the docs anywhere.
>> > >
>> > > It's against http://dev.catalyst.perl.org/repos/bast/DBIx-Class/0.08/trunk
>> > > if it should be against a different location and doesn't patch
>> > > cleanly, let me know and I'll fix it.
>> >
>> > { name => { like => $query } }
>> >
>> > works for that.
>> 
>> Did you maybe miss the leading and trailing '%' wildcards?
>
> To simplify the example, yes.
>
> The point is the bind => isn't needed at all.
>
> if that's what you're tyrying to illustrate then pick an example that
> actually needs the technique - if we accept a patch that used 'bind' for
> LIKE people will (quite logically) assume you have to and never find the
> easy way.

The issue is that { -like => ... } doesn't escape % signs the user may
supply.  So you have to do that manually, which is prone to error.  The
bind method theoretically handles the escaping for you, although I
haven't actually tested that.

Regards,
Jonathan Rockway



More information about the DBIx-Class mailing list