开发者

How to avoid wild card character and special character when searching from front end

Suppose I have a search functionality in front end written in Java. I have a text box for example name. When I pass a name or a character it works fine, but when I pass any special character, it's not working because I am sending this parameter to the oracle procedure, which is using dynamic query.

Suppose the query in my procedure is this:

create or replace procedure abc
(abc IN  table.name%type
,p_abc   abc_cur 
)
is 
v_var varchar2(2000); 
begin
v_var:='select * from table where name LIKE '%'NVL(p_name,name)'%'';
open c1 for v_var;

end abc;

When I pass [%,_ ,.] it search on the basis of wild card characters as you see in the query.

Now when I pass ['] only then it gives an exception. Please tell me a solution how to handle this is backend, I don't want to consider any special character in the query and the use of dynamic query is compulsory.

NOTE: Please see parameters within braces[] are separa开发者_Go百科ted by comma.

I am using Oracle as RDBMS.


escape! Don't let the user use %. Also beware of sql injection. (Other chars to keep an aye on are _ and ?)

Btw in oracle you can user something like

SELECT * FROM TABLE_A WHERE FIELD LIKE '%sometext\%%' escape by '\'

Regards

EDIT: I prefer using cursor in for loops

for x in (select whatever from whenever) loop
   DBMS_OUTPUT.putLine(x.field);
end loop;

this saves me from managing closures in exception handlers and cursor syntax

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜