On Mon, Aug 4, 2008 at 1:36 AM, Larry Garfield <[EMAIL PROTECTED]> wrote:
> Hi folks. I am trying to figure out the best way to handle an interesting
> issue in PDO prepared statements. Consider:
>
> $search = 'mystring';
>
> $stmt = $dbh->prepare("SELECT * FROM mytable WHERE myfield LIKE :myfiel
Sorry - switched address to the wrong list :(
*I* hate reply not going to the right place - but one of these days I switch
to something that just ignores the on board miss direction ;)
Larry Garfield wrote:
I'm building a multi-database system, although my main targets are MySQL,
Postgres, and
I'm building a multi-database system, although my main targets are MySQL,
Postgres, and SQLite.
How would those handle something like "a string that ends in 100%"?
On Monday 04 August 2008 6:18:24 pm Asher Snyder wrote:
> Depending on what database you're using you might be able to use LIKE
>
Depending on what database you're using you might be able to use LIKE
while maintaining security. For instance PostgreSQL has the functions
quote_ident(), and quote_literal() which would allow you to use LIKE
since these functions would automatically make the string suitable for
comparison.
Like I said, I'm not 'especially pleased' with any idea up until now. I'm
certainly open to any other ideas.
Adam
On Mon, Aug 4, 2008 at 6:57 PM, Larry Garfield <[EMAIL PROTECTED]>wrote:
>
> Hm. So your solution is "don't use LIKE"? I can't say I'm wild about
> that. :-/
>
> --Larry Garfield
Hm. So your solution is "don't use LIKE"? I can't say I'm wild about that. :-/
--Larry Garfield
On Mon, 4 Aug 2008 15:49:52 -0400, "Adam Richardson" <[EMAIL PROTECTED]> wrote:
> Larry,
>
> I agree that having to escape values in a stored procedure does run
> counter
> to expectations. It's l
Larry,
I agree that having to escape values in a stored procedure does run counter
to expectations. It's likely other developers have the potential for
short-circuiting their LIKE conditions without realizing it.
I've dealt with this issue, too, and haven't been especially pleased with
any of th
> -Original Message-
> From: Andrew Ballard [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 04, 2008 10:49 AM
> To: PHP General list
> Subject: Re: [PHP] PDO prepared statements and LIKE escaping
>
> On Mon, Aug 4, 2008 at 11:35 AM, Larry Garfield
> <[EMAIL PR
On Mon, 4 Aug 2008 11:48:39 -0400, "Andrew Ballard" <[EMAIL PROTECTED]> wrote:
> On Mon, Aug 4, 2008 at 11:35 AM, Larry Garfield <[EMAIL PROTECTED]>
> wrote:
>>
>> On Mon, 04 Aug 2008 08:33:44 +0200, Per Jessen <[EMAIL PROTECTED]> wrote:
>>> Larry Garfield wrote:
>>>
IIRC, the way in SQL to c
On Mon, Aug 4, 2008 at 11:35 AM, Larry Garfield <[EMAIL PROTECTED]> wrote:
>
> On Mon, 04 Aug 2008 08:33:44 +0200, Per Jessen <[EMAIL PROTECTED]> wrote:
>> Larry Garfield wrote:
>>
>>> IIRC, the way in SQL to circumvent that is to convert "100%" into
>>> "100%%". However, that does rather defeat th
Larry Garfield wrote:
> Actually in most cases in PHP you don't get much performance.
Exactly.
> What you do get is added security, because prepared statements are
> cleaner than cleaner and more reliable than string escaping. Of
> course, then we run into the % problem above.
I don't really
On Mon, 04 Aug 2008 08:33:44 +0200, Per Jessen <[EMAIL PROTECTED]> wrote:
> Larry Garfield wrote:
>
>> IIRC, the way in SQL to circumvent that is to convert "100%" into
>> "100%%". However, that does rather defeat the purpose of a prepared
>> statement if I have to do my own escaping anyway, does
Larry Garfield wrote:
> IIRC, the way in SQL to circumvent that is to convert "100%" into
> "100%%". However, that does rather defeat the purpose of a prepared
> statement if I have to do my own escaping anyway, does it not?
Depends on what you perceive the purpose of the prepared statement to
b
Hi folks. I am trying to figure out the best way to handle an interesting
issue in PDO prepared statements. Consider:
$search = 'mystring';
$stmt = $dbh->prepare("SELECT * FROM mytable WHERE myfield LIKE :myfield");
$stmt->execute(array(':myfield' => $search . '%'));
The above will search for
14 matches
Mail list logo
