ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zoran Avtarovski <zo...@sparecreative.com>
Subject Re: OT: Preventing sql injection attack
Date Fri, 22 Feb 2008 10:29:32 GMT
The solution was staring me in the face the whole time.

I just do a substring query to the length of the letters typed already:

Select column from table where SUBSTRING(column, 1, #term_length#) = #term#

I haven't implemented it yet, but I can't see a reason why it wouldn't work.

Z.



> OK, then another option...add the % to the user provided input.
> 
> Larry
> 
> 
> On Wed, Feb 20, 2008 at 10:23 PM, Zoran Avtarovski
> <zoran@sparecreative.com> wrote:
>> Thanks Larry,
>> 
>>  But no joy. The db is MySQL 5. To provide more details we are already
>>  escaping single quotes with two single quotes in the business logic ie
>>  stringSql.replaceAll("'", "''")
>> 
>>  Bit I was hoping there was a more elegant solution, like the one you
>>  suggested - which is not working for me.
>> 
>>  Z.
>> 
>> 
>> 
>>> This should work:
>>> 
>>> select * from table where column LIKE #value# || '%'
>>> 
>>> Larry
>>> 
>>> On Wed, Feb 20, 2008 at 9:40 PM, Zoran Avtarovski
>>> <zoran@sparecreative.com> wrote:
>>>> We have a web application with an ajax autocomplete text box. The problem
>>>> is
>>>>  that currently the query statement for the ajax query is :
>>>> 
>>>>  Select * from table where column LIKE '$value$%'
>>>> 
>>>>  Which is susceptible to sql injection attacks.
>>>> 
>>>>  One solution is to have a separate connection pool with read-only
>>>>  privileges, but this seems blunt and doesn't prevent malicious access to
>>>>  sensitive data.
>>>> 
>>>> 
>>>>  Is there a better way of doing this?
>>>> 
>>>> 
>>>>  Z.
>>>> 
>>>> 
>>>> 
>> 
>> 
>> 



Mime
View raw message