ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abhishek Pratap Singh08 <Abhishek_Sing...@infosys.com>
Subject Regarding SQL injection chaniging SELECT QUERY
Date Tue, 04 Mar 2008 15:00:36 GMT

Hi Again,

Suppose I have a query

Select * from table where column LIKE '$value$%'

Can be changed to
select * from table where column LIKE #value# || '%'

but this works on ORACLE....

what is the work around for MySQL?


-----Original Message-----
From: Larry Meadors [mailto:larry.meadors@gmail.com]
Sent: Tuesday, March 04, 2008 6:18 PM
To: user-java@ibatis.apache.org
Subject: Re: Regarding SQL injection

Chapter 1

Don't use the replacement ($property$) syntax unless you scrub the input.

The end.



On Tue, Mar 4, 2008 at 3:05 AM, Abhishek Pratap Singh08
<Abhishek_Singh08@infosys.com> wrote:
> Hi All,
>                                 I need the guidelines of handling sql
> injection in iBatis. Any pdf or link will be very helpful.
> Regards,
> Abhishek
> **************** CAUTION - Disclaimer *****************
> solely for the use of the addressee(s). If you are not the intended
> recipient, please notify the sender by e-mail and delete the original
> message. Further, you are not to copy, disclose, or distribute this e-mail
> or its contents to any other person and any such actions are unlawful. This
> e-mail may contain viruses. Infosys has taken every reasonable precaution to
> minimize this risk, but is not liable for any damage you may sustain as a
> result of any virus in this e-mail. You should carry out your own virus
> checks before opening the e-mail or attachment. Infosys reserves the right
> to monitor and review the content of all messages sent to or from this
> e-mail address. Messages sent to or from this e-mail address may be stored
> on the Infosys e-mail system.
>  ***INFOSYS******** End of Disclaimer ********INFOSYS***

View raw message