[Dbix-class] Correct (and secure) searching using -like?
Octavian Rasnita
octavian.rasnita at ssifbroker.ro
Tue Oct 9 08:04:34 GMT 2012
From: Bill Moseley =
On Mon, Oct 8, 2012 at 12:49 AM, Octavian Rasnita <orasnita at gmail.com> wr=
ote:
It doesn't look to be very secure to quote the variable $name this way.
It's still a bind parameter. But, what I do is remove any existing spec=
ial characters and make sure $name has enough (for some value of enough) ch=
aracters to make it a reasonable search. Searching for %i% isn't very usef=
ul and can return a lot of rows.
At one time I tried to escape special characters but found it cleaner to =
just remove.
**
I have also deleted the special chars, but I wanted to be sure that it wo=
uld work securely without deleting them.
But now I think it should be secure.
Depending on what you are searching, I suspect often the correct answer i=
s to use a full-text search (e.g. tsearch2 in Postgresql) instead.
**
I use MySQL, but it is just a simple search in a small table and a fullte=
xt search wouldn't be useful.
Thanks.
Octavian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/dbix-class/attachments/20121009/0e4=
03d5f/attachment.htm
More information about the DBIx-Class
mailing list