> And how many web forms forget to check the presence of a percent sign > and are executing SQL searches without cheking it using clauses > similar to "WHERE table.field LIKE :parameter" by binding directly the > submitted form value to the "parameter" variable placeholder, ignoring > the fact that the percent sign in the right operand of a LIKE is > parsed specially by the SQL engine ?
Any magic character should be escaped when supplied as a prepared statement parameter, so the above scenario is unlikely to happen in any sane database engine. Á
