0

In simple scenario, where user input is used to filter data using SQL LIKE, are there any specials characters I should be careful about?

$input  = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING);

// Should I strip characters like '%'?

$sth    = $db->prepare("SELECT `id` FROM `names` WHERE `name` LIKE :name");
$sth->execute(['name' => $input . '%']);

I am referring to anything that could dramatically slow down the query/eat up CPU and thus be used for malicious purposes.

Gajus
  • 69,002
  • 70
  • 275
  • 438
  • Why are you using LIKE in the first place in this context? – Pekka Jul 26 '12 at 08:09
  • Because I am searching for names like "George Thomson" given only "George" and similar cases. – Gajus Jul 26 '12 at 08:11
  • Ahh, I see now. Yeah, it would make sense to strip `%` and `_`from within the input in that case – Pekka Jul 26 '12 at 08:13
  • 1
    I dont know of a first name containing a %. There is "50 Cents" I suppose, but his first name is 50, I guess... (you can call me 25) – Cups Jul 26 '12 at 08:46

2 Answers2

1

you need to care about the $input, it will contain comma mark or quotation mark

meadlai
  • 895
  • 1
  • 9
  • 22
1

You should escape the characters used for wildcard matching.

See Escaping MySQL wild cards for a good discussion on doing this.

Community
  • 1
  • 1
Tass
  • 1,238
  • 11
  • 21