ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry Meadors" <larry.mead...@gmail.com>
Subject Re: OT: Preventing sql injection attack
Date Thu, 21 Feb 2008 05:10:52 GMT
This should work:

select * from table where column LIKE #value# || '%'

Larry

On Wed, Feb 20, 2008 at 9:40 PM, Zoran Avtarovski
<zoran@sparecreative.com> wrote:
> We have a web application with an ajax autocomplete text box. The problem is
>  that currently the query statement for the ajax query is :
>
>  Select * from table where column LIKE '$value$%'
>
>  Which is susceptible to sql injection attacks.
>
>  One solution is to have a separate connection pool with read-only
>  privileges, but this seems blunt and doesn't prevent malicious access to
>  sensitive data.
>
>
>  Is there a better way of doing this?
>
>
>  Z.
>
>
>

Mime
View raw message