ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Butler" <jeffgbut...@gmail.com>
Subject Re: Avoiding SQL injection when calling stored procedures
Date Tue, 20 Feb 2007 13:12:46 GMT
There is no danger of SQL injection in the first example.  This is standard
JDBC syntax for stored procedures.

You can use the # syntax if you want, but you can't use a parameter map.
Use a parameter class instead, and you'll need to use the advance inline
paramater syntax.  But you should know that iBATIS will turn each parameter
into a question mark, so you get back to the same thing anyway.

Jeff Butler



On 2/20/07, Arsalan Zaidi <arsalan.zaidi@arrkgroup.com> wrote:
>
>  Hi All.
>
> When I call a stored procedure in Oracle like below, it works just fine:
>
>     <parameterMap id="getTitles" class="map">
>         <parameter property="applicationId"
> jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN" />
>         <parameter property="userId"
> jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN" />
>         <parameter property="o_titles_record_set"
> jdbcType="ORACLECURSOR"    javaType="java.sql.ResultSet"     mode="OUT"
>     resultMap="titles" />
>         <parameter property="o_error_code"
> jdbcType="VARCHAR"        javaType="java.lang.String"     mode="OUT" />
>     </parameterMap>
>     <!-- Calling the Stored procedure -->
>     <procedure id="get_titles_proc" parameterMap="getTitles">
>                 {  call ABC$$ECOM.get_titles( ?,?,?,? ) }
>     </procedure>
>
> However, I think using '?' does not provide any protection from SQL
> injection attacks. Converting the ? to # should do the trick. However, if I
> were to try the following:
>
>     <parameterMap id="getTitles" class="map">
>         <parameter property="applicationId"
> jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN" />
>         <parameter property="userId"
> jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN" />
>         <parameter property="o_titles_record_set"
> jdbcType="ORACLECURSOR"    javaType="java.sql.ResultSet"     mode="OUT"
>     resultMap="titles" />
>         <parameter property="o_error_code"
> jdbcType="VARCHAR"        javaType="java.lang.String"     mode="OUT" />
>     </parameterMap>
>     <!-- Calling the Stored procedure -->
>     <procedure id="get_titles_proc" parameterMap="getTitles">
>                 {  call ABC$$ECOM.get_titles( #applicationId#,#userId#,
> #o_titles_record_set#,#o_error_code# ) }
>     </procedure>
>
>
> I get an "Invalid Column Index" Exception.
>
> What am I doing wrong?
>
> Regards.
>
> --Arsalan
>
>
>
> Regards,
>
>
>
> Arsalan Zaidi
>
>
>

Mime
View raw message