ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry Meadors" <larry.mead...@gmail.com>
Subject Re: OT: Preventing sql injection attack
Date Thu, 21 Feb 2008 05:51:53 GMT
OK, then another option...add the % to the user provided input.

Larry


On Wed, Feb 20, 2008 at 10:23 PM, Zoran Avtarovski
<zoran@sparecreative.com> wrote:
> Thanks Larry,
>
>  But no joy. The db is MySQL 5. To provide more details we are already
>  escaping single quotes with two single quotes in the business logic ie
>  stringSql.replaceAll("'", "''")
>
>  Bit I was hoping there was a more elegant solution, like the one you
>  suggested - which is not working for me.
>
>  Z.
>
>
>
>  > This should work:
>  >
>  > select * from table where column LIKE #value# || '%'
>  >
>  > Larry
>  >
>  > On Wed, Feb 20, 2008 at 9:40 PM, Zoran Avtarovski
>  > <zoran@sparecreative.com> wrote:
>  >> We have a web application with an ajax autocomplete text box. The problem is
>  >>  that currently the query statement for the ajax query is :
>  >>
>  >>  Select * from table where column LIKE '$value$%'
>  >>
>  >>  Which is susceptible to sql injection attacks.
>  >>
>  >>  One solution is to have a separate connection pool with read-only
>  >>  privileges, but this seems blunt and doesn't prevent malicious access to
>  >>  sensitive data.
>  >>
>  >>
>  >>  Is there a better way of doing this?
>  >>
>  >>
>  >>  Z.
>  >>
>  >>
>  >>
>
>
>

Mime
View raw message