OK, then another option...add the % to the user provided input.
Larry
On Wed, Feb 20, 2008 at 10:23 PM, Zoran Avtarovski
<[EMAIL PROTECTED]> wrote:
> Thanks Larry,
>
> But no joy. The db is MySQL 5. To provide more details we are already
> escaping single quotes with two single quotes in the business logic ie
> stringSql.replaceAll("'", "''")
>
> Bit I was hoping there was a more elegant solution, like the one you
> suggested - which is not working for me.
>
> Z.
>
>
>
> > This should work:
> >
> > select * from table where column LIKE #value# || '%'
> >
> > Larry
> >
> > On Wed, Feb 20, 2008 at 9:40 PM, Zoran Avtarovski
> > <[EMAIL PROTECTED]> wrote:
> >> We have a web application with an ajax autocomplete text box. The problem
> is
> >> that currently the query statement for the ajax query is :
> >>
> >> Select * from table where column LIKE '$value$%'
> >>
> >> Which is susceptible to sql injection attacks.
> >>
> >> One solution is to have a separate connection pool with read-only
> >> privileges, but this seems blunt and doesn't prevent malicious access to
> >> sensitive data.
> >>
> >>
> >> Is there a better way of doing this?
> >>
> >>
> >> Z.
> >>
> >>
> >>
>
>
>
