Given a textbox name for example, the user requirement wants to be able to do a wildcard search (such as contains, starts with, ends with).
Is it ok to accept the sql wildcard characters ('%' and '_') as input as long as I am still using parameterized query in the backend (Java)? Effectively, allowing the user to build his own regular expression which is what the user's requirement is all about.
Example:
User types in the
textbox = '%are%'
This parameter is feed to the backend as such:
public class PersonDaoImpl {
public List<Person> search(String name){//name gets the value from textbox w/ sql wildcards
Query q = mgr.createNativeQuery('select * from Person where name like :name'); //default to always use like since expecting searchkey with sql wildcards
q.setParameter('name', name);//gives the input from the screen
return q.getResultList();
}
}
With the SQL Parameterize Query, I can ensure that I won't be allowing SQL Injection. This implements the user requirement for wildcard search, but perhaps does it violate anything that I may have missed?
UPDATES: Just found out that Google allows wildcard too, from their help page.
Well, it violates the fact that the user needs to know (or be told) how to construct SQL "LIKE" syntax, but that's all. You could end up with a slow query this way, in that it won't usually be able to use an index, but I wouldn't be concerned in terms of security or correctness.