Thanks Larry,
But no joy. The db is MySQL 5. To provide more details we are already
escaping single quotes with two single quotes in the business logic ie
stringSql.replaceAll("'", "''")
Bit I was hoping there was a more elegant solution, like the one you
suggested - which is not working for me.
Z.
> This should work:
>
> select * from table where column LIKE #value# || '%'
>
> Larry
>
> On Wed, Feb 20, 2008 at 9:40 PM, Zoran Avtarovski
> <[EMAIL PROTECTED]> wrote:
>> We have a web application with an ajax autocomplete text box. The problem is
>> that currently the query statement for the ajax query is :
>>
>> Select * from table where column LIKE '$value$%'
>>
>> Which is susceptible to sql injection attacks.
>>
>> One solution is to have a separate connection pool with read-only
>> privileges, but this seems blunt and doesn't prevent malicious access to
>> sensitive data.
>>
>>
>> Is there a better way of doing this?
>>
>>
>> Z.
>>
>>
>>
