> > That can be confirmed by setting $dbh->trace_level to something greater
> or equal
> > than 2 and looking at the Pg DBD driver's output.
>
>Shit, you're right. The $dbh->quote() called for the placeholders
>escapes strings for INSERTing, but not for LIKE comparisons. So this
>is one of the few places where using placeholders is not enough.
>
>At least my erroneous assumption can't be used for an SQL injection
>attack - you just get more results than you would get if you escape
>the wildcards by hand.
I've been reading this discussion and I asked myself whether you guys
remove/replace unwanted chars from strings you get from the web or not..
If you do remove them AFAIK it doesn't only prevent SQL injection but also XSS.
B.