[Dbix-class] Correct (and secure) searching using -like?

Octavian Rasnita octavian.rasnita at ssifbroker.ro
Tue Oct 9 08:04:34 GMT 2012

From: Bill Moseley =

  On Mon, Oct 8, 2012 at 12:49 AM, Octavian Rasnita <orasnita at gmail.com> wr=

  It doesn't look to be very secure to quote the variable $name this way.

  It's still a bind parameter.   But, what I do is remove any existing spec=
ial characters and make sure $name has enough (for some value of enough) ch=
aracters to make it a reasonable search.  Searching for %i% isn't very usef=
ul and can return a lot of rows.
  At one time I tried to escape special characters but found it cleaner to =
just remove.

  I have also deleted the special chars, but I wanted to be sure that it wo=
uld work securely without deleting them.
  But now I think it should be secure.

  Depending on what you are searching, I suspect often the correct answer i=
s to use a full-text search (e.g. tsearch2 in Postgresql) instead.

  I use MySQL, but it is just a simple search in a small table and a fullte=
xt search wouldn't be useful.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/dbix-class/attachments/20121009/0e4=

More information about the DBIx-Class mailing list