> And how many web forms forget to check the presence of a percent sign
> and are executing SQL searches without cheking it using clauses
> similar to "WHERE table.field LIKE :parameter" by binding directly the
> submitted form value to the "parameter" variable placeholder, ignoring
> the fact that the percent sign in the right operand of a LIKE is
> parsed specially by the SQL engine ?
Any magic character should be escaped when supplied as a prepared
statement parameter, so the above scenario is unlikely to happen in
any sane database engine.
Á
Received on Mon Mar 25 2013 - 09:38:24 CDT
This archive was generated by hypermail 2.2.0 : Mon Mar 25 2013 - 09:38:26 CDT