[Dbix-class] Correct (and secure) searching using -like?
will trillich
will.trillich at serensoft.com
Mon Oct 8 16:17:02 GMT 2012
Octavian -- Inlining the values, as you say, would be fraught with peril --
DBI (and DBIx::Class) know better, so it's not a problem. It's not special
to the -like operator, it's part of how DBIC works.
To see it in action -- when you're single-step debugging your cody, try
this:
DB<1> x $rs->as_query
You'll see that it establishes the "?" placeholders in the query, and binds
the values (ala $sth->execute( @_ )) at runtime.
Here's an example of what a query might look like:
DB<1> x $rs->as_query
0 REF(0xcd53148)
-> ARRAY(0xcd53258)
0 '(SELECT me.id, me.name, me.team, me.active FROM team me WHERE
( me.id IN ( ?, ?, ? ) ) ORDER BY name)'
1 ARRAY(0xcd52e88)
0 'me.id'
1 138
2 ARRAY(0xcd040d8)
0 'me.id'
1 387
3 ARRAY(0xcc28bc8)
0 'me.id'
1 412
So if someone put nefarious strings in one of the ID values, it'd still be
quoted.
On Mon, Oct 8, 2012 at 2:49 AM, Octavian Rasnita <orasnita at gmail.com> wrote:
> Hi,
>
> I've seen examples of searching in a database using the LIKE operator lik=
e:
>
> $rs =3D $rs->search( {
> name =3D> { -like =3D> "%$name%" },
> } );
>
> It doesn't look to be very secure to quote the variable $name this way.
> Or maybe the special chars in the whole composed string "%$name%" are then
> escaped if -like key is used?
> Or is there a better alternative?
>
> Thanks.
>
> --Octavian
>
>
> _______________________________________________
> List: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/dbix-class
> IRC: irc.perl.org#dbix-class
> SVN: http://dev.catalyst.perl.org/repos/bast/DBIx-Class/
> Searchable Archive:
> http://www.grokbase.com/group/dbix-class@lists.scsys.co.uk
>
-- =
Will Trillich :: 812.454.6431
=93Waiting for perfect is never as smart as making progress.=94 -- Seth Go=
din
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/dbix-class/attachments/20121008/dee=
41c49/attachment.htm
More information about the DBIx-Class
mailing list