[英]Is this a correct way to allow wildcard search for a user?
Given a textbox name for example, the user requirement wants to be able to do a wildcard search (such as contains, starts with, ends with). 例如,给定一个文本框名称,用户要求希望能够进行通配符搜索(例如contains,starts with,ends with)。
Is it ok to accept the sql wildcard characters ('%' and '_') as input as long as I am still using parameterized query in the backend (Java)? 是否可以接受sql通配符('%'和'_')作为输入,只要我仍在后端(Java)中使用参数化查询? Effectively, allowing the user to build his own regular expression which is what the user's requirement is all about. 实际上,允许用户构建自己的正则表达式,这是用户的要求所在。
Example: 例:
User types in the 用户类型
textbox = '%are%'
This parameter is feed to the backend as such: 此参数将作为后端提供给后端:
public class PersonDaoImpl { public List<Person> search(String name){//name gets the value from textbox w/ sql wildcards Query q = mgr.createNativeQuery('select * from Person where name like :name'); //default to always use like since expecting searchkey with sql wildcards q.setParameter('name', name);//gives the input from the screen return q.getResultList(); } }
With the SQL Parameterize Query, I can ensure that I won't be allowing SQL Injection. 使用SQL Parameterize Query,我可以确保不会允许SQL注入。 This implements the user requirement for wildcard search, but perhaps does it violate anything that I may have missed? 这实现了用户对通配符搜索的要求,但是它可能违反了我可能错过的任何内容吗?
UPDATES: Just found out that Google allows wildcard too, from their help page . 更新:刚刚从他们的帮助页面发现Google也允许使用通配符。
Well, it violates the fact that the user needs to know (or be told) how to construct SQL "LIKE" syntax, but that's all. 好吧,它违反了用户需要知道(或被告知)如何构造SQL“LIKE”语法的事实,但这就是全部。 You could end up with a slow query this way, in that it won't usually be able to use an index, but I wouldn't be concerned in terms of security or correctness. 您最终可能会以这种方式查询速度慢,因为它通常不能使用索引,但我不会担心安全性或正确性。
It's "safe", but probably not a good idea, for two reasons: 这是“安全的”,但可能不是一个好主意,原因有两个:
I am curious, how does the
name
parameter end up getting set in the request?
我很好奇,
name
参数如何在请求中设置?
What platform is this?
这个平台是什么?
(OP missed setParameter
earlier) (OP早先错过了setParameter
)
As you noted the user need to know the wild-card syntax ie the use of %
, _
, etc. A more popular approach is to just get the string from the username, along with an option for 'exact match'/'starts-with'/'anywhere-in-name'. 正如您所指出的,用户需要知道通配符语法,即使用%
, _
等。更流行的方法是从用户名中获取字符串,以及“完全匹配”/“开始”的选项以“/”任何地方的名”。 If you go that route you will also be able to execute a more efficient query in the first two cases. 如果你走这条路线,你也可以在前两种情况下执行更有效的查询。
EDIT: 编辑:
If the customer insists on contains
query then I think your current approach of requiring the end-user to input a pattern better then converting the input string to pattern by putting %
around it. 如果客户坚持要contains
查询,然后我觉得你现在需要更好的最终用户输入的模式,然后通过将输入字符串转换为模式的做法%
左右吧。
This is because the users will still have the option of not adding (or selectively adding) the %
to the search string, resulting in faster query execution. 这是因为用户仍然可以选择不向搜索字符串添加(或有选择地添加) %
,从而加快查询执行速度。 For example: 例如:
If the user enter search string Don
the query is select ... from ... where name like 'Don'
. 如果用户输入搜索字符串Don
则查询select ... from ... where name like 'Don'
。 The RDBMS will most likely use the index on name. RDBMS很可能会使用名称上的索引。
If the user enter search string Don%
the query is select ... from ... where name like 'Don%'
. 如果用户输入搜索字符串Don%
则查询select ... from ... where name like 'Don%'
。 The RDBMS will still quite likely use the index on name. RDBMS仍然很可能在名称上使用索引。
If the user enter search string %Don
or %Don%
then the index cannot be used. 如果用户输入搜索字符串%Don
或%Don%
则无法使用索引。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.