YES!!!!
but is has nothing to do with the SQL which is good You are still leaving opening yourself up to is an SQL injection attack http://en.wikipedia.org/wiki/SQL_injection You should take the opportunity to rewrite the Perl a well as the query like this my ($query) = $dbconn->prepare("Select * from my_table where UPPER(last_name) LIKE UPPER(?)"); $query->execute($SearchName); cheers John Scoles > To: dbi-users@perl.org > From: lvir...@gmail.com > Subject: Trying to safely compare user input name against database > Date: Mon, 3 May 2010 11:30:28 -0700 > > I've a case where a function is called with a string provided by a > user, and some legacy code then puts that string into a select > statement for dbi. The code currently reads: > > my ($query) = $dbconn->prepare( > "Select * from my_table where last_name LIKE > '$SearchName'"); > $query->execute() or return \...@retval; #problem return empty array > > Now, one of the issues that comes up is the situation where the user's > string doesn't match the case of the name in the table. > > For instance, if they pass a "McDonnel" as the string, but in the > table, it is "Mcdonnel", of course there is no match. > > So, I was thinking of modifying this to read > > my ($query) = $dbconn->prepare( > "Select * from my_table where UPPER(last_name) LIKE > UPPER('$SearchName')"); > > Are there any gotchas in going this route? Is there a better way of > doing this? > _________________________________________________________________ 30 days of prizes: Hotmail makes your day easier! Enter Now. http://go.microsoft.com/?linkid=9729710
