The solution was staring me in the face the whole time.
I just do a substring query to the length of the letters typed already:
Select column from table where SUBSTRING(column, 1, #term_length#) = #term#
I haven't implemented it yet, but I can't see a reason why it wouldn't work.
Z.
> OK, then another option...add the % to the user provided input.
>
> Larry
>
>
> On Wed, Feb 20, 2008 at 10:23 PM, Zoran Avtarovski
> <[EMAIL PROTECTED]> wrote:
>> Thanks Larry,
>>
>> But no joy. The db is MySQL 5. To provide more details we are already
>> escaping single quotes with two single quotes in the business logic ie
>> stringSql.replaceAll("'", "''")
>>
>> Bit I was hoping there was a more elegant solution, like the one you
>> suggested - which is not working for me.
>>
>> Z.
>>
>>
>>
>>> This should work:
>>>
>>> select * from table where column LIKE #value# || '%'
>>>
>>> Larry
>>>
>>> On Wed, Feb 20, 2008 at 9:40 PM, Zoran Avtarovski
>>> <[EMAIL PROTECTED]> wrote:
>>>> We have a web application with an ajax autocomplete text box. The problem
>>>> is
>>>> that currently the query statement for the ajax query is :
>>>>
>>>> Select * from table where column LIKE '$value$%'
>>>>
>>>> Which is susceptible to sql injection attacks.
>>>>
>>>> One solution is to have a separate connection pool with read-only
>>>> privileges, but this seems blunt and doesn't prevent malicious access to
>>>> sensitive data.
>>>>
>>>>
>>>> Is there a better way of doing this?
>>>>
>>>>
>>>> Z.
>>>>
>>>>
>>>>
>>
>>
>>
