[Opensource] wildcards for numbers?
Michael Rimov
rimovm at centercomp.com
Mon Jan 20 10:45:04 PST 2003
At 11:40 AM 1/19/2003 -0800, you wrote:
>h Pierre,
>
>ok, thanks for making it more clear to me. BTW, there seems to be
>support for doing a "range" test like 10 < myfield < 20 in that routine.
>
>I agree it is a bug for the numeric type. is it safe to check in your
>proposal, or do we need different handling for any other type? have you
>tested your proposal here with any other field types?
Larry,
At first hand it looks kosher. Now, on the flip side, I want to use this
to bring up a topic. Any time we allow wild cards like this, we have the
potential for SQL injection/manipulation attacks. I suspect that is why
all the Data access APIS such as EJB and JDO have created their own query
language to separate things. [DBMaint is PARTICULARLY bad at this issue]
So, any ideas how to best isolate searching code so that wildcards and
special tricks like that are only allowed if the developer explicity wants
it??
Thanks,
-Mike
>larry
>
>At 02:54 AM 1/19/2003, you wrote:
> >larry hamel wrote:
> >>
> >>
> >>hi Pierre,
> >>
> >>can you help me understand? you seem to be referring to this segment
> of code
> >>
> >> if (containsWildCards(oneFieldValue)) {
> >> myStatement.append(oneFieldName);
> >> myStatement.append(" LIKE ");
> >> myStatement.append(oneFieldValue);
> >>
> >>and you want to have LIKE used with numeric fields? why not use math
> comparisons (< >) ?
> >>
> >>of course, a string-field value should have quotes around it--is this
> not working with string fields?
> >>
> >>thanks,
> >>
> >>larry
> >>
> >>
> >>At 05:27 AM 1/18/2003, you wrote:
> >>
> >>>
> >>>
> >>>Even if field is numeric DBOject generate a LIKE expression, but for
> example "like 546%" is not accept by SQL
> >>>I propose correct the DBOject as is :
> >>>
> >>> myStatement.append(" LIKE ");
> >>> if (oneFieldValue.startsWith("'")==true)
> >>> myStatement.append(oneFieldValue);
> >>> else
> >>> {
> >>> myStatement.append("'");
> >>> myStatement.append(oneFieldValue);
> >>> myStatement.append("'");
> >>> }
> >>>
> >>>PMX
> >>>
> >>>
> >>>_______________________________________________
> >>>Opensource mailing list
> >>><mailto:Opensource at jcorporate.com>Opensource at jcorporate.com
> >>>http://mail.jcorporate.com/mailman/listinfo/opensource
> >>>Archives:
> <http://mail.jcorporate.com/pipermail/opensource/>http://mail.jcorporate.com/pipermail/opensource/
> >>>
> >>
> >>
> >>
> >>_______________________________________________
> >>Opensource mailing list
> >><mailto:Opensource at jcorporate.com>Opensource at jcorporate.com
> >>http://mail.jcorporate.com/mailman/listinfo/opensource
> >>Archives:
> <http://mail.jcorporate.com/pipermail/opensource/>http://mail.jcorporate.com/pipermail/opensource/
> >>
> >>
> >Your proposal : we need 2 values (> first and < second)., or calculate
> this two with the 'oneFieldValue', then we need know the format of the
> numeric field.
> >My proposal is only to void sql error, and to display results.
> >
> >For example : for '12%' sql answer all records with 12, 120 to 129, 1200
> to 1299 etc...
> >
> >PMX
>
>_______________________________________________
>Opensource mailing list
>Opensource at jcorporate.com
>http://mail.jcorporate.com/mailman/listinfo/opensource
>Archives: http://mail.jcorporate.com/pipermail/opensource/
More information about the Opensource
mailing list