On 2006-09-23 22:18:35 +0200, Bernhard Graf wrote:
> my $esc =
> $c->model('DB::Table')->result_source->schema->storage->dbh->get_info(14);
> my $input = $c->request->params->{input}
> $input =~ s/([_%])/$esc$1/g;
>
> Not very pretty, but always needed, where user input from external
> sources is used inside SQL queries.
Well, sure, if you're building SQL strings yourself. But DBIx::Class
uses placeholders and bind variables unless explicitly told not to
(NoBindVars), and even then makes a decent attempt to quote the values
via the dbh.
That doesn't mean you shouldn't validate user input, but that's more
about saying what's allowed than trying to prevent everything invalid.
--
Daniel Westermann-Clark
_______________________________________________
List: http://lists.rawmode.org/cgi-bin/mailman/listinfo/dbix-class
Wiki: http://dbix-class.shadowcatsystems.co.uk/
IRC: irc.perl.org#dbix-class
SVN: http://dev.catalyst.perl.org/repos/bast/trunk/DBIx-Class/
Searchable Archive: http://www.mail-archive.com/dbix-class@lists.rawmode.org/
