StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POIs this a correct way to allow wildcard search for a user?
text
Body
copied!<p>Given a textbox name for example, the user requirement wants to be able to do a wildcard search (such as contains, starts with, ends with). </p> <p>Is it ok to accept the sql wildcard characters ('%' and '_') as input as long as I am still using parameterized query in the backend (Java)? Effectively, allowing the user to build his own regular expression which is what the user's requirement is all about. </p> <p>Example:</p> <ol> <li><p>User types in the </p> <pre><code>textbox = '%are%' </code></pre></li> <li><p>This parameter is feed to the backend as such:</p> <pre><code>public class PersonDaoImpl { public List<Person> search(String name){//name gets the value from textbox w/ sql wildcards Query q = mgr.createNativeQuery('select * from Person where name like :name'); //default to always use like since expecting searchkey with sql wildcards q.setParameter('name', name);//gives the input from the screen return q.getResultList(); } } </code></pre></li> <li>The result set would include people with names 'Waren', 'Jared', 'Clare', 'Blare' as expected since user provided a regular expression.</li> </ol> <p>With the SQL Parameterize Query, I can ensure that I won't be allowing SQL Injection. This implements the user requirement for wildcard search, but perhaps does it violate anything that I may have missed?</p> <p>UPDATES: Just found out that Google allows wildcard too, from their <a href="http://www.google.com/support/websearch/bin/answer.py?hl=en&answer=136861&rd=1" rel="nofollow">help page</a>.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload