[Dbix-class] patch: escaping user input - cookbook example

Carl Franks fireartist at gmail.com
Thu Feb 7 11:26:14 GMT 2008


On 07/02/2008, Matt S Trout <dbix-class at trout.me.uk> wrote:
> On Wed, Feb 06, 2008 at 01:14:22PM +0000, Carl Franks wrote:
> > On 06/02/2008, Matt S Trout <dbix-class at trout.me.uk> wrote:
> > > On Wed, Feb 06, 2008 at 10:34:09AM +0000, Carl Franks wrote:
> > > > Here's a minor patch to address an issue that I found a solution for
> > > > in the list archives, but couldn't find in the docs anywhere.
> > > >
> > > > It's against http://dev.catalyst.perl.org/repos/bast/DBIx-Class/0.08/trunk
> > > > if it should be against a different location and doesn't patch
> > > > cleanly, let me know and I'll fix it.
> > >
> > > { name => { like => $query } }
> > >
> > > works for that.
> >
> > Did you maybe miss the leading and trailing '%' wildcards?
>
> To simplify the example, yes.
>
> The point is the bind => isn't needed at all.

> Though I don't quite get why you called the example "escaping user input",
> we bind the value parts of everything in where just the same way.

"user error"

I was initially using { name => { like => "%$query%" } }
but I incorrectly thought that bind would escape the '%' in a string,
and so concluded that using that construct wasn't using bind.

I've checked the source for both DBI's quote() method and mysql's
mysql_real_escape_string() and can see that neither escape wildcard
characters.

I've switched back to using { name => { like => "%$query%" } }
and have confirmed that quotes are being correctly escaped (e.g.
searching for "o'reilly") and the wildcard characters are working as
well.

Sorry for the noise - the above quoted message was the only one I
could find in the archives that seemed relevant - but I missed the
fact that $query was being used twice in that code, in the 'where' and
the 'order_by'.
And I can see now, that I was incorrectly passing 2 bind variables,
when only 1 was needed by the query - I'm surprised sqlite didn't
throw an error for that.

Carl



More information about the DBIx-Class mailing list