ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zoran Avtarovski <zo...@sparecreative.com>
Subject Re: Running dynamic sp
Date Wed, 01 Aug 2007 23:47:21 GMT
The way we got around the risk of malicious users was to run $query$ using a
separate db connection where the user for that connection only had read
priviledges.

Saves a lot of angst.

Z.

> 
> I can't avoid using $ in my case as I need a method to run any sp with
> varying no of parameters. Anyway thanks guys for the solution and
> suggestions.
> 
> 
> Ashok Madhavan wrote:
>> 
>> i would always prefer not to use '$'. else you will have to check what is
>> sent in the '$' and make sure it is proper and what u want.
>> 
>> anyways i like the methods being different for your scenario
>> 
>> regards
>> ashok
>> 
>> On 7/31/07, Larry Meadors <lmeadors@apache.org> wrote:
>>> 
>>> Only if you control the value of sp_name very carefully. If someone
>>> can set it to "drop table order;--" you're screwed. :-)
>>> 
>>> Larry
>>> 
>>> 
>>> On 7/31/07, John Dahl <clickjohndahl@gmail.com> wrote:
>>>> 
>>>> OK, I did it successfully with "$" operator.
>>>> One thing I would like to know is can we prevent sql injection in this
>>> case.
>>>> 
>>>> Thank you for the solution.
>>>> 
>>>> 
>>>> John Dahl wrote:
>>>>> 
>>>>> Ok, here is my requirement. I need to run different sp having
>>> different
>>>>> parameters. For eg. I need to run following sps
>>>>> 1) call generate_bill( #bill_id#)
>>>>> 2) call generate_invoice(#invoice_id, #start_date#, #end_date#)
>>>>> 
>>>>> Can I create a single method in sql maps with dynamic tags (or
>>>>> programatically) so that the same method can be called to execute any
>>> of
>>>>> these sps. sp Name and parameter map need to be resolved only at run
>>> time.
>>>>> Is it possible with iBatis.
>>>>> 
>>>>> Thanx in advance.
>>>>> 
>>>> 
>>>> --
>>>> View this message in context:
>>> http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11923238
>>>> Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
>>>> 
>>>> 
>>> 
>> 
>> 



Mime
View raw message