Gajus
Reputation: 73888
Do SQL LIKE queries require any special attention when it comes to sanitising data?
In simple scenario, where user input is used to filter data using SQL LIKE, are there any specials characters I should be careful about?
$input = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING);
// Should I strip characters like '%'?
$sth = $db->prepare("SELECT `id` FROM `names` WHERE `name` LIKE :name");
$sth->execute(['name' => $input . '%']);
I am referring to anything that could dramatically slow down the query/eat up CPU and thus be used for malicious purposes.
Upvotes: 0
Views: 94
Answers (2)
Tass
Reputation: 1248
You should escape the characters used for wildcard matching.
See Escaping MySQL wild cards for a good discussion on doing this.
Upvotes: 1
meadlai
Reputation: 935
you need to care about the $input, it will contain comma mark or quotation mark
Upvotes: 1
Related Questions
- Does sanitizing data eliminate the possibility of SQL injection?
- How to sanitize the query?
- Can I "unsanitize" during a PDO SELECT?
- Do I need to sanitize data from database?
- Do I have to sanitize user input with prepared SQL statements?
- Do I need to sanitize results from database query?
- Should I sanitize inputs to a parametrized query?
- Should i sanitize/filter user input and output when using PHP PDO?
- Is this sufficient to sanitise a user supplied SQL query?
- Sanitizing MySQL Queries without preprared statements (PHP + old mysql module)