[jifty-devel] jifty-dbi 0.71: Unknown operator 'REGEXP'
Ruslan Zakirov
ruz at bestpractical.com
Tue Aug 30 13:09:18 EDT 2011
On Tue, Aug 30, 2011 at 8:20 PM, Thomas Sibley <trs at bestpractical.com> wrote:
> On 08/30/2011 10:23 AM, Stanislav Sinyagin wrote:
>> Obviously line 1284 in lib/Jifty/DBI/Collection.pm produces that.
>>
>> It will be great to have a workaround which allows non-ANSI SQL operators.
>
> Perhaps a different key? Or a refactoring the operator check into the
> handle class, so it can be db-specific?
>
> I'm not sure what the best solution is at the moment.
That check was implemented to prevent SQL injections and It's possible
to loose granularity to:
/^(=|<|>|!=|<>|<=|>=|[a-z_\s]+)$/ix
Or a little bit more precise:
/^(=|<|>|!=|<>|<=|>=|((IS\s+)?(NOT\s+)?)[a-z_]+)$/ix
I think it covers security pretty well and gives freedom.
> Thomas
> _______________________________________________
> jifty-devel mailing list
> jifty-devel at lists.jifty.org
> http://lists.jifty.org/cgi-bin/mailman/listinfo/jifty-devel
>
--
Best regards, Ruslan.
More information about the jifty-devel
mailing list