[Dbix-class] Correct (and secure) searching using -like?
Bill Moseley
moseley at hank.org
Mon Oct 8 17:28:25 GMT 2012
On Mon, Oct 8, 2012 at 12:49 AM, Octavian Rasnita <orasnita at gmail.com>wrote:
> Hi,
>
> I've seen examples of searching in a database using the LIKE operator lik=
e:
>
> $rs =3D $rs->search( {
> name =3D> { -like =3D> "%$name%" },
> } );
>
I just wrote something similar a few minutes ago.
> It doesn't look to be very secure to quote the variable $name this way.
>
It's still a bind parameter. But, what I do is remove any existing
special characters and make sure $name has enough (for some value of
enough) characters to make it a reasonable search. Searching for %i% isn't
very useful and can return a lot of rows.
At one time I tried to escape special characters but found it cleaner to
just remove.
Depending on what you are searching, I suspect often the correct answer is
to use a full-text search (e.g. tsearch2 in Postgresql) instead.
-- =
Bill Moseley
moseley at hank.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/dbix-class/attachments/20121008/0e7=
1d442/attachment.htm
More information about the DBIx-Class
mailing list