Home/ Questions/Q 8381547
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T16:43:20+00:00

I need to implement a search where user can input * as a wild

  • 0

I need to implement a search where user can input * as a wild card. The database they are searching is a SQL server. I was thinking of just replacing the * with a %:

userInput = userInput.replace('*', '%');

I’m worried that since I’m doing this “by hand” I might introduce some bugs or security flaws. Do you see any problems doing it like this? Is there any library to do this for me?

I use Hibernate as an ORM mapper and Criteria API to create the query if it helps with answers.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    That is exactly what we do in our company. We have two products, one that uses a simple replace in the code like your example. The other one which is very stored procedure heavy does it within the ‘search’ stored proc itself.

    Either way, we haven’t had any instances of security issues or user complaints about the system.

    Just to show the stored procedure layout, but probably redundant as you said your using ORM:

    CREATE PROC [dbo].[p_aaa]
    @username nvarchar(100) = 'dbo',
    @rows int = 0,
    @name nvarchar(100) = '%'       
AS

SET @name = REPLACE(@name, '*', '%')
    • 0