ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Larry Meadors <lmead...@apache.org>
Subject Re: Using percentages with like and parameter
Date Thu, 16 Feb 2006 17:11:06 GMT
Be very careful using that approach.

As long as you tightly protect the value of keyword...you are OK, but
SQL injection will bring you to your knees if keyword = "x';drop table
table;--", becuase it will execute perfectly with most drivers..and
quietly drop your table, too.

The solutions that Jared and Sven suggested are not vulnerable to that.

Larry


On 2/16/06, Hilde.DE-GRAEVE@ext.cec.eu.int
<Hilde.DE-GRAEVE@ext.cec.eu.int> wrote:
> We found it out:
>
> Select * from table where label '%$keyword$%'
>
> Thanks
>
> -----Original Message-----
> From: Sven.Boden [mailto:list123@pandora.be]
> Sent: Thursday, February 16, 2006 3:25 PM
> To: user-java@ibatis.apache.org
> Subject: Re: Using percentages with like and parameter
>
>
>
> Should also work:
>
> select * from table where label like '%' || #keyword# || '%'
>
> Regards,
> Sven
>
>
> >----- Oorspronkelijk bericht -----
> >Van: Jared Blitzstein [mailto:mailing-list@blitzstein.net]
> >Verzonden: donderdag, februari 16, 2006 03:08 PM
> >Aan: user-java@ibatis.apache.org
> >Onderwerp: Re: Using percentages with like and parameter
> >
> >The way I've done it is actually set the %'s when you setup
> >#keyword#. So myObject.setKeyword("%myliketerm%");
> >
> >On Feb 16, 2006, at 8:42 AM, Hilde.DE-GRAEVE@ext.cec.eu.int wrote:
> >
> >>
> >>
> >> Hello,
> >>
> >> I have the following select :
> >>
> >> Select * from table where label like  #keyword#
> >>
> >> Does anyone know how to add the % percentages before and after the
> >> keyword.
> >>
> >> I tried it before and after but ibatis does not accept it.
> >> So I'm doing it in my class that calls the query but would like to
> >> know if there is another solution.
> >>
> >> Thanks,
> >>
> >> Hilde
> >>
> >>
> >>
> >
> >
>
>

Mime
View raw message