Bug or Feature Autocomplete on the site?

P

pyatin2012-12-14 15:37:40

PHP

pyatin, 2012-12-14 15:37:40

Hello everyone
To create auto-completion on the site, it is often used

SELECT field FROM table WHERE field LIKE 'SOME_STRING%'

So often the characters % and _ are not replaced and not escaped, which leads to the following:

In principle, there is no threat in this, but it is still not clear what to do with it.
In the current project, I decided not to give users such an opportunity.
Interested in the thoughts and considerations of the community on this issue.

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

L

Leestex, 2012-12-14
@Leestex

I think it's still worth escaping such characters. But the feature can be left. Let's say assign it to another combination and move it all into some neat helper.

P

Puma Thailand, 2012-12-14
@opium

How in general it is possible to forbid unescaped input to the user?

W

Wott, 2012-12-14
@Wott

It depends on the. For example, now we have a UI for asteriska for our own people and they use % and _ with might and main, but for a public service it’s better not to, otherwise the user will get an incomprehensible qualification for him if the same % suddenly pops up in the data.

E

egorinsk, 2012-12-15
@egorinsk

> So often the characters % and _ are not replaced and not escaped, which leads to the following:
This is the usual inattention of the developers, these characters must be escaped and they will work as intended.

J

justhack, 2012-12-15
@justhack

if you already do a quick search, then through the configured Sphinx