Hi all, Aren't PreparedStatements supposed to take care of ovoiding SQL Injection already ?
I thought so. Maybe not all cases ?? Gilles ----- Message d'origine ---- De : Larry Meadors <[EMAIL PROTECTED]> À : [email protected] Envoyé le : Jeudi, 21 Février 2008, 6h51mn 53s Objet : Re: OT: Preventing sql injection attack OK, then another option...add the % to the user provided input. Larry On Wed, Feb 20, 2008 at 10:23 PM, Zoran Avtarovski <[EMAIL PROTECTED]> wrote: > Thanks Larry, > > But no joy. The db is MySQL 5. To provide more details we are already > escaping single quotes with two single quotes in the business logic ie > stringSql.replaceAll("'", "''") > > Bit I was hoping there was a more elegant solution, like the one you > suggested - which is not working for me. > > Z. > > > > > This should work: > > > > select * from table where column LIKE #value# || '%' > > > > Larry > > > > On Wed, Feb 20, 2008 at 9:40 PM, Zoran Avtarovski > > <[EMAIL PROTECTED]> wrote: > >> We have a web application with an ajax autocomplete text box. The problem is > >> that currently the query statement for the ajax query is : > >> > >> Select * from table where column LIKE '$value$%' > >> > >> Which is susceptible to sql injection attacks. > >> > >> One solution is to have a separate connection pool with read-only > >> privileges, but this seems blunt and doesn't prevent malicious access to > >> sensitive data. > >> > >> > >> Is there a better way of doing this? > >> > >> > >> Z. > >> > >> > >> > > > _____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail http://mail.yahoo.fr
