Hi,
I'm looking into the Database API to do a simple like with ActiveRecord, and i read the phpdoc of the CDBCriteria::compare method which say :
So does that means that web user can set himself a specific operator (when code isn't specifying one) at the beginning of an input so the SQL query will be modified in some ways ?
That behavior seems ugly, another parameter which is not concatenated would be better.
I'm looking into the Database API to do a simple like with ActiveRecord, and i read the phpdoc of the CDBCriteria::compare method which say :
Quote
The comparison operator is intelligently determined based on the first few characters in the given value.
So does that means that web user can set himself a specific operator (when code isn't specifying one) at the beginning of an input so the SQL query will be modified in some ways ?
That behavior seems ugly, another parameter which is not concatenated would be better.