ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Larry Meadors <larry.mead...@gmail.com>
Subject Re: [HELP] Whether or not iBatis support SQL Injection?
Date Wed, 06 Jul 2005 03:25:40 GMT
When you use this:

<select id="good" resultMap="myResultMap">
select * from foo where id = #value#
</select>

...and call it like this:

MyBean b = (MyBean)sqlMap.queryForObject("good", new Integer(1));

...iBATIS creates a prepared statement, so the SQL that goes to the database is:

select * from foo where id = ?

...then a second parameter is sent to the driver to tell it that the
value of the ? placeholder is 1. The parameter 1 is not used to modify
the SQL.

However, when you use this:

<select id="bad" resultMap="myResultMap">
select * from foo where id = $value$
</select>

...and call it like this:

MyBean b = (MyBean)sqlMap.queryForObject("bad", new Integer(1));

...iBATIS creates a prepared statement, but the SQL that goes to the
database is:

select * from foo where id = 1

...so the object passed in (the Integer in this case) is used to
modify the SQL that is executed. This is where the danger is.

Let's say instead of an integer, a String was passed in from a web
page and the input was not checked. If the string was "1", that would
be just fine. However, a user could send a string like this: "1;drop
table foo;--", and instead of the query above, you would get this:

select * from foo where id = 1;drop table foo;--

Oops! what happened to the foo table?

If you can use the ## syntax, do.

Larry


On 7/5/05, Pham Anh Tuan <anhtuan@ichi-corp.jp> wrote:
> oh, thanks all you :)
> 
> but I don't understand clearly why when we use ## is more safe than using
> $$.
> 
> Is there any special things in using ## ???
> 
> help me!
> ----- Original Message -----
> From: "Brandon Goodin" <brandon.goodin@gmail.com>
> To: <user-java@ibatis.apache.org>
> Sent: Tuesday, July 05, 2005 8:54 PM
> Subject: Re: [HELP] Whether or not iBatis support SQL Injection?
> 
> 
> > If you are using the #myProperty# delimiters you need not worry about
> > sql injection. If you use the $myProperty$ literals you would need to
> > guard against sql injection on your own.
> >
> > Brandon.
> >
> > On 7/5/05, Pham Anh Tuan <anhtuan@ichi-corp.jp> wrote:
> >>
> >> Hi all,
> >>
> >> I don't know whether or not iBatis support checking SQL Injection or not
> >> ?
> >>
> >> plz help me :)
> >>
> >> Pham
> >
> >
> 
> 
>

Mime
View raw message