I need my users to use asterisks (*) as wildcards in the search.
Is it safe to convert asterisks to% and use LIKE in sql query.
I know that user-regexp can lead to regular clicks that are forever calculated. I do not think that this is possible in this case, but are there any other security problems at the same time?
Wildcards in expressions likecan cause changes to query execution that cause the RDBMS to use full table scanning instead of using indexes. This can slow down the query with a lot of data. I would recommend checking user input for the presence of at least a few non-character characters before the first asterisk.
like
Also note that if you convert *to %and use like, you also need to take care of _, otherwise it will match any single character, not just the underscore.
*
%
_
If everything you do, just replace it like this
str_replace('*','%',$query)
, , . - SQL- - ( , , , ).
, , . , *, ? ( ), . , , .
:
*foo
bar*
*foo*
ba*r
, , .
: .
.
, (.. mysql_real_escape_string() ( ORM ) .
mysql_real_escape_string()
, EXPLAIN , RDBMS.
EXPLAIN
- . ( , ?)
, .
, , . .
"" , , .
, OR, AND, LIKE, MINUS .. /.
OR
AND
LIKE
MINUS
: : Sphinx SOLR?