ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brandon Goodin <brandon.goo...@gmail.com>
Subject Re: LIKE and Wildcards
Date Thu, 14 Apr 2005 19:29:20 GMT
the second will work. But, you make yourself vulnerable to SQL
injection. As odd as the other syntax is, it is the only way to avoid
SQL injection. So, you would be using that syntax no matter what. Even
if you weren't using iBatis.

Brandon

On 4/14/05, Ron Grabowski <rongrabowski@yahoo.com> wrote:
> Have you tried using CDATA like this (I'd be curious to know if this
> works or not):
> 
>  <isNotEmpty prepend="AND" property="description">
>   <![CDATA[
>    xyz
>   ]]>
>  </isNotEmpty>
> 
> Maybe I missed this in the other responses to this thread, but does
> this work:
> 
>  <isNotEmpty prepend="AND" property="description">
>   description like '%$description$%'
>  </isNotEmpty>
> 
> --- Nic Werner <werner@sonoma.edu> wrote:
> > I tried the CDATA, but then the <isEmpty> type statements are not
> > processed and are passed directly to Oracle.
> 
> >
> > Thanks for all the suggestions, I'll use the overly awkward concat
> > solution that Brandon and Paul mentioned.
> >
> > - NIc.
> >
> > Paul Barry wrote:
> >
> > > CDATA is not going to help.  The acutal SQL query that iBATIS will
> > > execute is:
> > >
> > > SELECT *
> > > FROM device,person
> > > where device.owner = person.regid
> > > and description like %'this is the descirption'%
> > >
> > > You can see how that is going to cause a problem.  Change your
> > query
> > > in the sqlmap to look like this:
> > >
> > >
> > > SELECT *
> > > FROM device,person
> > > where device.owner = person.regid
> > > and description like '%'||%#description#||'%'
> > >
> > > Sheehan, Andrew wrote:
> > >
> > >> Hiya,
> > >>
> > >> Would you be able to use a CDATA section in your where clause?
> > >>
> > >> HTH,
> > >>
> > >> Andrew
> > >>
> > >> -----Original Message-----
> > >> From: Nic Werner [mailto:werner@sonoma.edu] Sent: Wednesday, April
> >
> > >> 13, 2005 8:57 PM
> > >> To: ibatis-user-java@incubator.apache.org
> > >> Subject: LIKE and Wildcards
> > >>
> > >> Hi again,
> > >>     Is there a way to use the 'like' operator and also use
> > wildcards?
> > >> I'm trying to use Oracle with this, and the following does not
> > work:
> > >>
> > >> SELECT
> > >>             *               FROM device,person
> > >>         where device.owner = person.regid
> > >>         <isNotEmpty prepend="AND" property="description">
> > >>         description like %#description#%
> > >> (I get invalid symbol)
> > >>
> > >> All examples only use the equivalent of #description# which
> > doesn't
> > >> add anything of value, it is the equivalent of using '='.
> > >
> >
> >
>

Mime
View raw message