Again I think it has been said but what about post-pending the % in this
case on the java side;
String param = theString + "%";
then using the prepared statement parameter by using
#value#
On Fri, Feb 22, 2008 at 2:42 PM, Koka Kiknadze <[EMAIL PROTECTED]> wrote:
> Think you can limit how many
Think you can limit how many symbols the user can enter to some reasonable
value. If you can limit it, say to 20, you can use something like
Select * from
Select * from table where column LIKE '$value$%'
i.e. malicious user will have to use 20 closing par
Good point. I might have a look at the Prepared statement source and use
that as a guide for implementing a utlity class to cover my ass.
Z.
>> I haven't implemented it yet, but I can't see a reason why it wouldn't
> work.
>
> I can not see either, but, to speed up such searches one usually inde
> I haven't implemented it yet, but I can't see a reason why it wouldn't
work.
I can not see either, but, to speed up such searches one usually indexes
search column. While index will work well for Column LIKE 'bla%', I doubt it
will be of any use with ANY_FUNCTION(Column...)...
The solution was staring me in the face the whole time.
I just do a substring query to the length of the letters typed already:
Select column from table where SUBSTRING(column, 1, #term_length#) = #term#
I haven't implemented it yet, but I can't see a reason why it wouldn't work.
Z.
> OK, th
That's right. But in the case of an auto complete query you want to search
words starting with your argument which needs to look like: select from
table where login = 'fre%'
By escaping any single quotes in java covers most attacks but it's a shame
there's no SQL function for STARTS_WITH(#value#).
wrote:
> Hi all,
>
> Aren't PreparedStatements supposed to take care of ovoiding SQL Injection
> already ?
>
> I thought so. Maybe not all cases ??
>
> Gilles
>
> - Message d'origine
> De : Larry Meadors <[EMAIL PROTECTED]>
>
n 53s
Objet : Re: OT: Preventing sql injection attack
OK,
then
another
option...add
the
%
to
the
user
provided
input.
Larry
On
Wed,
Feb
20,
2008
at
10:23
PM,
Zoran
Avtarovski
<[EMAIL PROTECTED]>
wrote:
>
Thanks
Larry,
>
>
But
no
joy.
The
db
is
MySQL
OK, then another option...add the % to the user provided input.
Larry
On Wed, Feb 20, 2008 at 10:23 PM, Zoran Avtarovski
<[EMAIL PROTECTED]> wrote:
> Thanks Larry,
>
> But no joy. The db is MySQL 5. To provide more details we are already
> escaping single quotes with two single quotes in the b
Thanks Larry,
But no joy. The db is MySQL 5. To provide more details we are already
escaping single quotes with two single quotes in the business logic ie
stringSql.replaceAll("'", "''")
Bit I was hoping there was a more elegant solution, like the one you
suggested - which is not working for me.
This should work:
select * from table where column LIKE #value# || '%'
Larry
On Wed, Feb 20, 2008 at 9:40 PM, Zoran Avtarovski
<[EMAIL PROTECTED]> wrote:
> We have a web application with an ajax autocomplete text box. The problem is
> that currently the query statement for the ajax query is :
>
We have a web application with an ajax autocomplete text box. The problem is
that currently the query statement for the ajax query is :
Select * from table where column LIKE '$value$%'
Which is susceptible to sql injection attacks.
One solution is to have a separate connection pool with read-onl
12 matches
Mail list logo
