Again I think it has been said but what about post-pending the % in this case on the java side; String param = theString + "%";
then using the prepared statement parameter by using #value# On Fri, Feb 22, 2008 at 2:42 PM, Koka Kiknadze <[EMAIL PROTECTED]> wrote: > Think you can limit how many symbols the user can enter to some reasonable > value. If you can limit it, say to 20, you can use something like > > Select * from (((((((((((((((((((( > Select * from table where column LIKE '$value$%' > )))))))))))))))))))) > > i.e. malicious user will have to use 20 closing parenthesis in the value - > no room left for extra SQL > > >
