Thanks for your clarification.
If I only want a case-insensible "exact" equality, is there any easy
way to do the following?
select * from table where lower(email) = lower('[EMAIL PROTECTED]');
Regards,
yllan
On Fri, Aug 29, 2008 at 12:04 AM, Mike Schrag <[EMAIL PROTECTED]> wrote:
>> I wonder if that will introduce SQL injection vulnerability into my
>> system:
>> assuming adversary have * or % in his email address query string, will
>> that hurt my database security?
>
> If you are taking a string from a user and just doing "*" + thatString +
> "*", (or something like that), then, yes, they could inject additional
> regexes into that. This isn't quite SQL injection -- I guess you'd call it
> "regex injection". As far as whether or not it impacts your security, it
> really depends on how you're using the query. If you're doing "and password
> like '*..." then i suppose it could, but if you're just searching, say,
> product names and someone puts in a *, it's probably going to potentially
> just give them different results. So I guess my point is that if the
> qualifier in question is participating in a query where the results of the
> query are a security concern, then, yes, you should be careful about the
> values you accept there.
>
> ms
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/webobjects-dev/yungluen%40gmail.com
>
> This email sent to [EMAIL PROTECTED]
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to [EMAIL PROTECTED]
