Home/ Questions/Q 6700529
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T06:49:32+00:00

Given a textbox name for example, the user requirement wants to be able to

  • 0

Given a textbox name for example, the user requirement wants to be able to do a wildcard search (such as contains, starts with, ends with).

Is it ok to accept the sql wildcard characters (‘%’ and ‘_’) as input as long as I am still using parameterized query in the backend (Java)? Effectively, allowing the user to build his own regular expression which is what the user’s requirement is all about.

Example:

  1. User types in the 

    textbox = '%are%'

  2. This parameter is feed to the backend as such:

    public class PersonDaoImpl {

        public List<Person> search(String name){//name gets the value from textbox w/ sql wildcards
        Query q = mgr.createNativeQuery('select * from Person where name like :name'); //default to always use like since expecting searchkey with sql wildcards    
        q.setParameter('name', name);//gives the input from the screen
        return q.getResultList();
        } 
}
  3. The result set would include people with names ‘Waren’, ‘Jared’, ‘Clare’, ‘Blare’ as expected since user provided a regular expression.

With the SQL Parameterize Query, I can ensure that I won’t be allowing SQL Injection. This implements the user requirement for wildcard search, but perhaps does it violate anything that I may have missed?

UPDATES:
Just found out that Google allows wildcard too, from their help page.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Well, it violates the fact that the user needs to know (or be told) how to construct SQL “LIKE” syntax, but that’s all. You could end up with a slow query this way, in that it won’t usually be able to use an index, but I wouldn’t be concerned in terms of security or correctness.

    • 0