Wildcards in javascript with SQL

R

Ray Allison

Hi,

The objective is to have a form with text boxes for selection criteria
followed by an 'asp' displaying the query results. We would like to match
strings from the text boxes with table data beginning with the same strings.
Currently we are able to select exact matches but not like items (ie items
beginning with the same string).
Data from the form is passed to variables in the 'asp' as follows:
var varMake=Request.Form("txtMake");
var varModel=Request.Form("txtModel");

We then open a connection to an Access database and populate a recordset
with a list of stock using the following variables:
var adoConnection=Server.CreateObject("ADODB.Connection");
var adoRecordset;
var mySQL;

The value given to mySQL is:
var mySQL="SELECT * FROM tblStock WHERE Make = ' " + varMake + " ' AND
Model LIKE ' " + varModel + " ' ORDER BY PurchasePrice DESC";

This is then executed by:
adoRecordset=adoConnection.Execute(mySQL);

For the Make to be an exact match is fine. However, it would be disireable
for the Model to display like items. But using an asterix as a wildcard
does not work.
E.g. we can obtain exact model matches for models 'abc1', 'abc2' and 'abc3'
etc. but nothing is returned for 'abc* ' when we would expect all 'abcnn' to
be returned. Note though that the asterix earlier in the SQL, 'Select * ',
does work by selecting all fields.

Any help and suggestions would be greatly appreciated.

Thanks

Ray
 
L

Lasse Reichstein Nielsen

Ray Allison said:
Any help and suggestions would be greatly appreciated.
Click to expand...

My only suggestion is to ask in an SQL group. Your problem is in the SQL,
not the Javascript, so people in this group are not necessarily able to
help you (some might be, but you'll be more likely to find SQL experts
in another group).

I think Googleing after "sql LIKE wildcard" will give you suggestions
on how to solve the problem. I *think* you should use "%" instead of
"*" (from
<URL:http://epoch.cs.berkeley.edu:8000/sequoia/dba/montage/FAQ/SQL_howto.html>)

/L
 
K

kaeli

For the Make to be an exact match is fine. However, it would be disireable
for the Model to display like items. But using an asterix as a wildcard
does not work.
Click to expand...

The wildcard for standard SQL is a percent sign.
I can't say Access uses standard SQL though. Give it a try.

select whatever from table where upper(whatever) like upper('%
somestring%')

would be case-insensitive as well for more matches.

-------------------------------------------------
~kaeli~
All I ask for is the chance to prove that money
cannot make me happy.
http://www.ipwebdesign.net/wildAtHeart
http://www.ipwebdesign.net/kaelisSpace
-------------------------------------------------
 
B

Bryan Field-Elliot

Ray said:
The value given to mySQL is:
var mySQL="SELECT * FROM tblStock WHERE Make = ' " + varMake + " ' AND
Model LIKE ' " + varModel + " ' ORDER BY PurchasePrice DESC";

This is then executed by:
adoRecordset=adoConnection.Execute(mySQL);

For the Make to be an exact match is fine. However, it would be disireable
for the Model to display like items. But using an asterix as a wildcard
does not work.
E.g. we can obtain exact model matches for models 'abc1', 'abc2' and 'abc3'
etc. but nothing is returned for 'abc* ' when we would expect all 'abcnn' to
be returned. Note though that the asterix earlier in the SQL, 'Select * ',
does work by selecting all fields.
Click to expand...

I don't know what the wildcard character is for Microsoft SQL Server,
but on other databases, it's the LIKE keyword, with "%" as the wildcard,
example:

where Make like 'Ford%'

However there is a bigger problem with your script, you should never be
generating SQL statements with strings input directly from the client
(browser). This can lead to a security problem known as "SQL Injection".
Much better to use parameterized queries.

See here:

http://www.securiteam.com/securityreviews/5IP030K8AA.html
 
R

Ray Allison

Thanks, using percentage sign ' % ' instead of an asterix ' * ' has solved
the problem.

Again, Many thanks

Ray
 
R

Ray Allison

Thanks, using a percentage sign ' % ' instead of an asterix ' * ' has solved
the problem.

Again, Many thanks,

Ray
 
R

Ray Allison

Thanks, using the percentage sign ' % ' has solved the problem.

I hope the databases involved in our application are too insignificant for a
would be attacker. But thanks for the advice on 'SQL injection'.

Again, Many thanks,

Ray
 
S

Steve van Dongen

I hope the databases involved in our application are too insignificant for a
would be attacker. But thanks for the advice on 'SQL injection'.
Click to expand...

You're assuming that the contents of the database is the goal. A SQL
injection attack may simply be the first step in breaking into your
system or network.

Regards,
Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Wildcards in role-name 3
Javascript to delete a record in SQL server 1
First steps in setting up VSCode to work with Python. 2
I Need Help with making a function that draws in a canvas using location data. 1
Needing Help With My First JavaScript script 1
dynamically populate select option list via javascript array with sql data 4
Help with my responsive home page 2
Help with SQL Queries in ASP 0

Members online

Total: 42 (members: 2, guests: 40)
Robots: 179

Forum statistics

Threads
473,774
Messages
2,569,598
Members
45,152
Latest member
LorettaGur

Latest Threads

Top