I'm working on a small project of re-implementing all of the sql for a web site. The task
is pretty trivial but overall there are some minor things that I'm trying to code through.
We've moved much of the logic over to stored procs and call them with parameterized
queries. This works well since there isn't much inject attack possibility on these. Now
I have one query left, which allows for an arbitrary number of search parameters, all
Has anyone accomplished coverting something like this to a stored proc in mysql?
Logically I could pass in the parameters in as an array of words, or a wordlist to be
broken up inside the proc, but I don't want to spend a bunch of time either reinventing
the wheel or working to a goal that can't be accomplished.
We could build the base query dynamically in the code using standard sql and bind the
parameters to it that way but since we've moved everything else to procs I figured I'd
look into this as well.
BTW, this is a project I brought onto after they found they had a sql injection bug in
there code that was exploited...