Don't build SQL strings up from fragments that contain user input -- it's
what makes the application subject to SQL injection in the first place.
Safest would be to use a bound parameter for the literal. See here for
details:
Felix Schwarz wrote:
Hi,
I have a question related to sql injection when using a clause like
this: User.c.username.like('%' + userinput + '%')
What restrictions do I have to put on the variable userinput? Of course,
I will ensure that is no percent character ('%') in userinput. Is that