From: Bill Moseley
On Mon, Oct 8, 2012 at 12:49 AM, Octavian Rasnita <orasn...@gmail.com> wrote: It doesn't look to be very secure to quote the variable $name this way. It's still a bind parameter. But, what I do is remove any existing special characters and make sure $name has enough (for some value of enough) characters to make it a reasonable search. Searching for %i% isn't very useful and can return a lot of rows. At one time I tried to escape special characters but found it cleaner to just remove. ** I have also deleted the special chars, but I wanted to be sure that it would work securely without deleting them. But now I think it should be secure. Depending on what you are searching, I suspect often the correct answer is to use a full-text search (e.g. tsearch2 in Postgresql) instead. ** I use MySQL, but it is just a simple search in a small table and a fulltext search wouldn't be useful. Thanks. Octavian.
_______________________________________________ List: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/dbix-class IRC: irc.perl.org#dbix-class SVN: http://dev.catalyst.perl.org/repos/bast/DBIx-Class/ Searchable Archive: http://www.grokbase.com/group/dbix-class@lists.scsys.co.uk
