All geek questions in one place

Mysql related to String Regex

I am developing a Java desktop application that connects to a database, and I would like to know the following. This leads to the fact that, as far as I know, prepared statements avoid SQL injection, while you are not doing direct concatenation with user data, but today I realized that it does not avoid String regular expression (for example, "%" from the operator LIKE,) due to the fact that it simply eludes characters that can break the String itself and change the request. So, if the user:

Search = "%Dogs"; // User input Query = "SELECT * FROM Table WHERE Field LIKE ?"; blah.setString(1, Search);

It will return all lines containing "Dogs" at the beginning by injection.

Now I ask:

1-) Is it something bad / dangerous to view from a global point?

2-) Is there a complete Regex list that Mysql can use from within String? if so, can you share it with me?

Thanks.

+4
source share
1 answer

If the user uses such metacharacters in his search, the results may or may not be catastrophic, but the %% search may be poor. A correct search for %Dogs cannot return user-expected results that affect their experience.

LIKE contains only two metacharacters, so you can avoid both of them yourself when they are purchased from users (just using something similar to Search = Search.replaceAll("%", "\\\\%") ).

+2
source

Source: https://habr.com/ru/post/1483474/

More articles:


All Articles