ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Heinrich Götzger <goetz...@gmx.de>
Subject Re: HowTo add parameter to part of regex in select
Date Fri, 02 Nov 2007 17:44:56 GMT
Larry Meadors wrote:
> You could to this:
> 
> SELECT *
>>FROM table
> WHERE REGEXP_LIKE (id, '^($id$)\-[0]{4}[0-9][0-9][A-Z][0-9]{2}[A-Z]$$')
> 
> Doing this will open you up to SQL injection, so if id = " ');drop
> table some_important_data; --", you'll be pissed.
> 
> I'd build the regex in java code and pass it in that way.
Thanks for that hint, I'll follow it.

Heinrich

> 
> Larry
> 
> 
> On 11/2/07, Heinrich Götzger <goetzger@gmx.de> wrote:
>> Hi,
>>
>> is there a possibility to get following to run with iBATIS?
>>
>> SELECT * FROM table WHERE
>>         REGEXP_LIKE (id, '^(#id#)\-[0]{4}[0-9][0-9][A-Z][0-9]{2}[A-Z]$')
>>
>> (remark: this is not working)
>>
>> or would I need to prepare the regexp in the java-part and use it like:
>>
>> SELECT * FROM table WHERE
>>         REGEXP_LIKE (id, #id#)
>>
>> (remark: this is working)
>>
>> Or in other words: can i get iBATIS to only get part of the regex passed
>> and add it to the rest of an existing expression or would I need to
>> build the complete expression in Java and pass it as a regular
>> (string-)parameter to iBATIS-Layer?
>>
>> Thanks, cheers
>>
>> Heinrich
>>
> 


Mime
View raw message