I have a query linking a parameter to a LIKE statement as follows:
my $sth = $dbh->prepare('SELECT foo FROM bar WHERE baz LIKE ?');
$sth->execute("%$like%");
However $like, this is a value entered by the user. Therefore, if the value contains any special characters recognized by the proposal LIKE( &, _, \), they are transmitted without reference to the database and analyzed as wildcards or escape-characters. For example, if the user enters %value, the request to be sent is as follows: SELECT foo FROM bar WHERE baz LIKE '%%value'rather than LIKE '%\%valuewhat I expected.
I am currently using regular expressions to output this field manually:
$like =~ s!\\!\\\\!g;
$like =~ s!%!\\%!g;
$like =~ s!_!\\_!g;
my $sth = $dbh->prepare('SELECT foo FROM bar WHERE baz LIKE ?');
$sth->execute("%$like%");
, - , DBI. DBI::quote, , %, , DBI::quote :
quote() "Placeholders and Bind ".
LIKE, , ?