前端搜索时如何避免通配符和特殊字符
假设我有一个用 Java 编写的前端搜索功能。我有一个文本框,例如名称。当我传递名称或字符时,它工作正常,但是当我传递任何特殊字符时,它不起作用,因为我将此参数发送到使用动态查询的 oracle 过程。
假设我的过程中的查询是这样的:
create or replace procedure abc
(abc IN table.name%type
,p_abc abc_cur
)
is
v_var varchar2(2000);
begin
v_var:='select * from table where name LIKE '%'NVL(p_name,name)'%'';
open c1 for v_var;
end abc;
当我传递 [%,_ ,.] 时,它会根据您在查询中看到的通配符进行搜索。
现在,当我通过 ['] 时,它才会给出异常。请告诉我一个解决方案,如何在后端处理这个问题,我不想在查询中考虑任何特殊字符,并且必须使用动态查询。
注意:请参阅大括号 [] 内的参数以逗号分隔。
我使用 Oracle 作为 RDBMS。
Suppose I have a search functionality in front end written in Java. I have a text box for example name. When I pass a name or a character it works fine, but when I pass any special character, it's not working because I am sending this parameter to the oracle procedure, which is using dynamic query.
Suppose the query in my procedure is this:
create or replace procedure abc
(abc IN table.name%type
,p_abc abc_cur
)
is
v_var varchar2(2000);
begin
v_var:='select * from table where name LIKE '%'NVL(p_name,name)'%'';
open c1 for v_var;
end abc;
When I pass [%,_ ,.] it search on the basis of wild card characters as you see in the query.
Now when I pass ['] only then it gives an exception. Please tell me a solution how to handle this is backend, I don't want to consider any special character in the query and the use of dynamic query is compulsory.
NOTE: Please see parameters within braces[] are separated by comma.
I am using Oracle as RDBMS.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
逃脱!不要让用户使用%。还要提防sql注入。 (其他需要关注的字符是 _ 和?)
顺便说一句,在 oracle 中,您可以使用类似的
问候
编辑:我更喜欢在 for 循环中使用游标,
这使我无需在异常处理程序和游标语法中管理闭包
escape! Don't let the user use %. Also beware of sql injection. (Other chars to keep an aye on are _ and ?)
Btw in oracle you can user something like
Regards
EDIT: I prefer using cursor in for loops
this saves me from managing closures in exception handlers and cursor syntax