ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry Meadors" <lmead...@apache.org>
Subject Re: RE(1): Avoiding SQL injection when calling stored procedures
Date Wed, 21 Feb 2007 12:38:44 GMT
No.

If your stored procedure constructs SQL from parameters, it is assumed
that you know what you are doing and escape them.

Larry


On 2/20/07, arsalan.zaidi@arrkgroup.com <arsalan.zaidi@arrkgroup.com> wrote:
>
> Hi Jeff.
>
> Is there no danger of SQL Injection even if the stored procedure  internally uses the
parameters to dynamically construct a query? In other words, are the parameters actively escaped
by iBATIS even if I use a '?' when calling an stored procedure?
>
> Thanks in advance!
>
> Arsalan Zaidi
>
> ----- Original message -----
> From: "Jeff Butler" <jeffgbutler@gmail.com>
> Date: 2/20/2007 1:12:46 PM
> Subject: Re: Avoiding SQL injection when calling stored procedures
>
> > There is no danger of SQL injection in the first example.  This is standard
> > JDBC syntax for stored procedures.
> >
> > You can use the # syntax if you want, but you can't use a parameter map.
> > Use a parameter class instead, and you'll need to use the advance inline
> > paramater syntax.  But you should know that iBATIS will turn each parameter
> > into a question mark, so you get back to the same thing anyway.
> >
> > Jeff Butler
> >
> >
> >
> > On 2/20/07, Arsalan Zaidi <arsalan.zaidi@arrkgroup.com> wrote:
> > >
> > >  Hi All.
> > >
> > > When I call a stored procedure in Oracle like below, it works just fine:
> > >
> > >     <parameterMap id="getTitles" class="map">
> > >         <parameter property="applicationId"
> > > jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN" />
> > >         <parameter property="userId"
> > > jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN" />
> > >         <parameter property="o_titles_record_set"
> > > jdbcType="ORACLECURSOR"    javaType="java.sql.ResultSet"     mode="OUT"
> > >     resultMap="titles" />
> > >         <parameter property="o_error_code"
> > > jdbcType="VARCHAR"        javaType="java.lang.String"     mode="OUT" />
> > >     </parameterMap>
> > >     <!-- Calling the Stored procedure -->
> > >     <procedure id="get_titles_proc" parameterMap="getTitles">
> > >                 {  call ABC$$ECOM.get_titles( ?,?,?,? ) }
> > >     </procedure>
> > >
> > > However, I think using '?' does not provide any protection from SQL
> > > injection attacks. Converting the ? to # should do the trick. However, if I
> > > were to try the following:
> > >
> > >     <parameterMap id="getTitles" class="map">
> > >         <parameter property="applicationId"
> > > jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN" />
> > >         <parameter property="userId"
> > > jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN" />
> > >         <parameter property="o_titles_record_set"
> > > jdbcType="ORACLECURSOR"    javaType="java.sql.ResultSet"     mode="OUT"
> > >     resultMap="titles" />
> > >         <parameter property="o_error_code"
> > > jdbcType="VARCHAR"        javaType="java.lang.String"     mode="OUT" />
> > >     </parameterMap>
> > >     <!-- Calling the Stored procedure -->
> > >     <procedure id="get_titles_proc" parameterMap="getTitles">
> > >                 {  call ABC$$ECOM.get_titles( #applicationId#,#userId#,
> > > #o_titles_record_set#,#o_error_code# ) }
> > >     </procedure>
> > >
> > >
> > > I get an "Invalid Column Index" Exception.
> > >
> > > What am I doing wrong?
> > >
> > > Regards.
> > >
> > > --Arsalan
> > >
> > >
> > >
> > > Regards,
> > >
> > >
> > >
> > > Arsalan Zaidi
> > >
> > >
> > >
> >
>

Mime
View raw message