Perl DBI：转义LIKE准备的语句

Question

I have a query that is binding a parameter to a LIKE statement as follows:

my $sth = $dbh->prepare('SELECT foo FROM bar WHERE baz LIKE ?');
$sth->execute("%$like%");

However, $like is a value that is entered by the user. So if the value contains any special characters recognised by the LIKE clause ( & , _ , \\ ), these are passed unescaped to the database and parsed as wildcard or escape characters. For example if the user inputs %value , the query that will be submitted is: SELECT foo FROM bar WHERE baz LIKE '%%value' , rather than LIKE '%\\%value , which is what I would expect.

Currently I am using regular expressions to escape the field manually:

# Escape LIKE wildcard characters
$like =~ s!\\!\\\\!g;
$like =~ s!%!\\%!g;
$like =~ s!_!\\_!g;

my $sth = $dbh->prepare('SELECT foo FROM bar WHERE baz LIKE ?');
$sth->execute("%$like%");

but it feels like the escaping is something DBI should be able to handle. I played around with DBI::quote , but this is designed for quoting entire fields, so in this case it would also quote the % symbols I am adding, and the documentation for DBI::quote specifically states:

The quote() method should not be used with "Placeholders and Bind Values".

Is there a better way to bind a user-supplied input to a LIKE clause while escaping the input and adding relevant wildcard characters, without resorting to manually escaping the input?

Answer 1

Despite what the documentation for DBI::quote says, LIKE parameters are a bit of a special case. What you want to do is almost what you already have in your example: first make sure there are no user-provided metacharacters by applying quote to the user-provided string (you do this with regexps in your example), then add your own metacharacters (the percent signs, in this case), then use it as food for the bind parameter.