Re: PDO prepared statements and LIKE escaping

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Larry,

I agree that having to escape values in a stored procedure does run counter
to expectations.  It's likely other developers have the potential for
short-circuiting their LIKE conditions without realizing it.

I've dealt with this issue, too, and haven't been especially pleased with
any of the solutions I've undertaken.  Recently, I've been avoiding LIKE
conditions and using INSTR, LOCATE, CHARINDEX, etc. to avoid the potential
for unescaped wildcards.

Adam

On Mon, Aug 4, 2008 at 12:33 PM, Larry Garfield <larry@xxxxxxxxxxxxxxxx>wrote:

>
> On Mon, 4 Aug 2008 11:48:39 -0400, "Andrew Ballard" <aballard@xxxxxxxxx>
> wrote:
> > On Mon, Aug 4, 2008 at 11:35 AM, Larry Garfield <larry@xxxxxxxxxxxxxxxx>
> > wrote:
> >>
> >> On Mon, 04 Aug 2008 08:33:44 +0200, Per Jessen <per@xxxxxxxxxxxx>
> wrote:
> >>> Larry Garfield wrote:
> >>>
> >>>> IIRC, the way in SQL to circumvent that is to convert "100%" into
> >>>> "100%%". However, that does rather defeat the purpose of a prepared
> >>>> statement if I have to do my own escaping anyway, does it not?=20
> >>>
> >>> Depends on what you perceive the purpose of the prepared statement to
> >>> be :-)  In this context, I tend to think of performance only.  Which
> > is=
> >>>
> >>> generally why I can't be bothered with prepared statements in php.=20
> >>
> >> Actually in most cases in PHP you don't get much performance.  What you
> > do get is added security, because prepared statements are cleaner than
> > cleaner and more reliable than string escaping.  Of course, then we run
> > into the % problem above.
> >>
> >> --Larry Garfield
> >
> > True. I wish PDO would add an option of creating a parameterized query
> > WITHOUT preparing it, at least for SQL Server. Why? There is overhead
> > to creating the statement that way. I prefer using the "prepared
> > statement" method as it decreases the exposure and risk to SQL
> > injection.
> >
> > I'd like to see an option like the Microsoft ADO library so that I can
> > prepare the statement if I will be running it several times with
> > different parameter values each time, or choose not to incur the
> > overhead if I'm only going to run a statement once.
>
> I've solved that at least for the given page request with a caching layer
> on top of PDO.  It caches and reuses the statement objects.  The problem is
> the issue with LIKE as described above, which I still haven't figured out
> yet.
>
> --Larry Garfield
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux