문제
Say I have a website open to the public and some JS generates an SQL LIKE pattern which is passed to the server.
The server uses this expression without validating it in a SELECT command:
https://stackoverflow.com/questions/21335749
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian SELECT ... WHERE (User has rights to this record) AND (field) LIKE @LikePattern
SQL injection won't be an issue because the pattern is passed in as a parameter. Using '%' as a pattern isn't a problem either as the left hand side of the AND restricts the records found. ('%' might even be one of the patterns generated by the JS.)
Invalid patterns might cause an error, but so long as my code is ready to handle the exception thrown from the SQL client library, the invalid pattern shouldn't cause an adverse situation. (Shouldn't it?)
Is there such a thing as a malicious or unsafe LIKE pattern? (Maybe a pattern that could cause a loop or need an unreasonable amount of processing or cause an unplanned lock?)
해결책
No, there aren't any LIKE patterns that are any more "unsafe" than a simple "%", which would of course match all valid rows.
This, of course, is assuming that you have adequate protection for the sort of SQL injection faults you could have with any plain-text field.
