[Dbix-class] Correct (and secure) searching using -like?

Bill Moseley moseley at hank.org
Mon Oct 8 17:28:25 GMT 2012

On Mon, Oct 8, 2012 at 12:49 AM, Octavian Rasnita <orasnita at gmail.com>wrote:

> Hi,
> I've seen examples of searching in a database using the LIKE operator lik=
> $rs =3D $rs->search( {
>     name =3D> { -like =3D> "%$name%" },
> } );

I just wrote something similar a few minutes ago.

> It doesn't look to be very secure to quote the variable $name this way.

It's still a bind parameter.   But, what I do is remove any existing
special characters and make sure $name has enough (for some value of
enough) characters to make it a reasonable search.  Searching for %i% isn't
very useful and can return a lot of rows.

At one time I tried to escape special characters but found it cleaner to
just remove.

Depending on what you are searching, I suspect often the correct answer is
to use a full-text search (e.g. tsearch2 in Postgresql) instead.

-- =

Bill Moseley
moseley at hank.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/dbix-class/attachments/20121008/0e7=

More information about the DBIx-Class mailing list