ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arsalan Zaidi" <arsalan.za...@arrkgroup.com>
Subject RE: RE(1): Avoiding SQL injection when calling stored procedures
Date Thu, 22 Feb 2007 05:03:04 GMT
Right, thanks for all you help! :-)

Regards,
 
Arsalan Zaidi
> -----Original Message-----
> From: larry.meadors@gmail.com [mailto:larry.meadors@gmail.com] On Behalf
> Of Larry Meadors
> Sent: Wednesday, February 21, 2007 6:09 PM
> To: user-java@ibatis.apache.org; arsalan.zaidi@arrkgroup.com
> Subject: Re: RE(1): Avoiding SQL injection when calling stored procedures
> 
> No.
> 
> If your stored procedure constructs SQL from parameters, it is assumed
> that you know what you are doing and escape them.
> 
> Larry
> 
> 
> On 2/20/07, arsalan.zaidi@arrkgroup.com <arsalan.zaidi@arrkgroup.com>
> wrote:
> >
> > Hi Jeff.
> >
> > Is there no danger of SQL Injection even if the stored procedure
> internally uses the parameters to dynamically construct a query? In other
> words, are the parameters actively escaped by iBATIS even if I use a '?'
> when calling an stored procedure?
> >
> > Thanks in advance!
> >
> > Arsalan Zaidi
> >
> > ----- Original message -----
> > From: "Jeff Butler" <jeffgbutler@gmail.com>
> > Date: 2/20/2007 1:12:46 PM
> > Subject: Re: Avoiding SQL injection when calling stored procedures
> >
> > > There is no danger of SQL injection in the first example.  This is
> standard
> > > JDBC syntax for stored procedures.
> > >
> > > You can use the # syntax if you want, but you can't use a parameter
> map.
> > > Use a parameter class instead, and you'll need to use the advance
> inline
> > > paramater syntax.  But you should know that iBATIS will turn each
> parameter
> > > into a question mark, so you get back to the same thing anyway.
> > >
> > > Jeff Butler
> > >
> > >
> > >
> > > On 2/20/07, Arsalan Zaidi <arsalan.zaidi@arrkgroup.com> wrote:
> > > >
> > > >  Hi All.
> > > >
> > > > When I call a stored procedure in Oracle like below, it works just
> fine:
> > > >
> > > >     <parameterMap id="getTitles" class="map">
> > > >         <parameter property="applicationId"
> > > > jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN"
> />
> > > >         <parameter property="userId"
> > > > jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN"
> />
> > > >         <parameter property="o_titles_record_set"
> > > > jdbcType="ORACLECURSOR"    javaType="java.sql.ResultSet"
> mode="OUT"
> > > >     resultMap="titles" />
> > > >         <parameter property="o_error_code"
> > > > jdbcType="VARCHAR"        javaType="java.lang.String"     mode="OUT"
> />
> > > >     </parameterMap>
> > > >     <!-- Calling the Stored procedure -->
> > > >     <procedure id="get_titles_proc" parameterMap="getTitles">
> > > >                 {  call ABC$$ECOM.get_titles( ?,?,?,? ) }
> > > >     </procedure>
> > > >
> > > > However, I think using '?' does not provide any protection from SQL
> > > > injection attacks. Converting the ? to # should do the trick.
> However, if I
> > > > were to try the following:
> > > >
> > > >     <parameterMap id="getTitles" class="map">
> > > >         <parameter property="applicationId"
> > > > jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN"
> />
> > > >         <parameter property="userId"
> > > > jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN"
> />
> > > >         <parameter property="o_titles_record_set"
> > > > jdbcType="ORACLECURSOR"    javaType="java.sql.ResultSet"
> mode="OUT"
> > > >     resultMap="titles" />
> > > >         <parameter property="o_error_code"
> > > > jdbcType="VARCHAR"        javaType="java.lang.String"     mode="OUT"
> />
> > > >     </parameterMap>
> > > >     <!-- Calling the Stored procedure -->
> > > >     <procedure id="get_titles_proc" parameterMap="getTitles">
> > > >                 {  call ABC$$ECOM.get_titles(
> #applicationId#,#userId#,
> > > > #o_titles_record_set#,#o_error_code# ) }
> > > >     </procedure>
> > > >
> > > >
> > > > I get an "Invalid Column Index" Exception.
> > > >
> > > > What am I doing wrong?
> > > >
> > > > Regards.
> > > >
> > > > --Arsalan
> > > >
> > > >
> > > >
> > > > Regards,
> > > >
> > > >
> > > >
> > > > Arsalan Zaidi
> > > >
> > > >
> > > >
> > >
> >


Mime
View raw message