ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry Meadors" <lmead...@apache.org>
Subject Re: HowTo add parameter to part of regex in select
Date Fri, 02 Nov 2007 17:41:19 GMT
You could to this:

SELECT *
FROM table
WHERE REGEXP_LIKE (id, '^($id$)\-[0]{4}[0-9][0-9][A-Z][0-9]{2}[A-Z]$$')

Doing this will open you up to SQL injection, so if id = " ');drop
table some_important_data; --", you'll be pissed.

I'd build the regex in java code and pass it in that way.

Larry


On 11/2/07, Heinrich Götzger <goetzger@gmx.de> wrote:
> Hi,
>
> is there a possibility to get following to run with iBATIS?
>
> SELECT * FROM table WHERE
>         REGEXP_LIKE (id, '^(#id#)\-[0]{4}[0-9][0-9][A-Z][0-9]{2}[A-Z]$')
>
> (remark: this is not working)
>
> or would I need to prepare the regexp in the java-part and use it like:
>
> SELECT * FROM table WHERE
>         REGEXP_LIKE (id, #id#)
>
> (remark: this is working)
>
> Or in other words: can i get iBATIS to only get part of the regex passed
> and add it to the rest of an existing expression or would I need to
> build the complete expression in Java and pass it as a regular
> (string-)parameter to iBATIS-Layer?
>
> Thanks, cheers
>
> Heinrich
>

Mime
View raw message