Thanks for your clarification. If I only want a case-insensible "exact" equality, is there any easy way to do the following?
select * from table where lower(email) = lower('[EMAIL PROTECTED]'); Regards, yllan On Fri, Aug 29, 2008 at 12:04 AM, Mike Schrag <[EMAIL PROTECTED]> wrote: >> I wonder if that will introduce SQL injection vulnerability into my >> system: >> assuming adversary have * or % in his email address query string, will >> that hurt my database security? > > If you are taking a string from a user and just doing "*" + thatString + > "*", (or something like that), then, yes, they could inject additional > regexes into that. This isn't quite SQL injection -- I guess you'd call it > "regex injection". As far as whether or not it impacts your security, it > really depends on how you're using the query. If you're doing "and password > like '*..." then i suppose it could, but if you're just searching, say, > product names and someone puts in a *, it's probably going to potentially > just give them different results. So I guess my point is that if the > qualifier in question is participating in a query where the results of the > query are a security concern, then, yes, you should be careful about the > values you accept there. > > ms > > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > Help/Unsubscribe/Update your Subscription: > http://lists.apple.com/mailman/options/webobjects-dev/yungluen%40gmail.com > > This email sent to [EMAIL PROTECTED] > _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]