Hi,
Thanks for the reply. Unfortunatly, we can't use placeholders, as its using an external SQL module to process the queries. I think I'm just going to settle for removing the " and replacing them with %
Is there a way of using % in a way, so it ONLY matches one charachter? Kinda like we do in a regex with . ?
TIA!
Andy | [reply] |
Maybe now is a good time to learn about SQL?
Depending on your SQL dialect, the "one character" (or "one byte", depending on your database/data structure) wildcard is _ or ?. As you seem to be successfully using % as wildcard, it is more likely _ than ?.
| [reply]
[d/l]
[select] |
Hi,
Yup, I keep meaning to purchase a book on mySQL. Maybe I will do that now, to start making use of my new Kindle ;)
Thanks again - I managed to get it working now.
Cheers
Andy
| [reply] |
Personally, a lack-of-support for placeholders would be a deal-breaker. It'd be sufficient, on its own, to warrant the dumping of that module and the search for a different module, or the ground-up writing of a new one, if need be. Injection attacks are not the only problem solved by placeholders, though, again, all on its own, it's sufficient cause for any database-interfacing module to support them. If the author of the module is not aware enough of this to simply allow binding of variables through their interface into DBI, then I would be concerned about everything else. (Which, of course, is not to say that allowing placeholders would be sufficient to draw the conclusion that they're a DB expert.)
| [reply] |
Never mind - I think I answered my own question, with the REGEXP function in mySQL :)
Cheers
Andy
| [reply] |