ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Clinton Begin" <clinton.be...@gmail.com>
Subject RE: Regarding SQL injection chaniging SELECT QUERY
Date Tue, 04 Mar 2008 15:27:35 GMT
IIRC

#value# + '%'

Clinton

-----Original Message-----
From: Abhishek Pratap Singh08 [mailto:Abhishek_Singh08@infosys.com] 
Sent: March-04-08 8:01 AM
To: user-java@ibatis.apache.org
Subject: Regarding SQL injection chaniging SELECT QUERY


Hi Again,

Suppose I have a query

Select * from table where column LIKE '$value$%'

Can be changed to
select * from table where column LIKE #value# || '%'

but this works on ORACLE....

what is the work around for MySQL?


Regards,
Abhishek

-----Original Message-----
From: Larry Meadors [mailto:larry.meadors@gmail.com]
Sent: Tuesday, March 04, 2008 6:18 PM
To: user-java@ibatis.apache.org
Subject: Re: Regarding SQL injection

Chapter 1

Don't use the replacement ($property$) syntax unless you scrub the input.

The end.

:-)

Larry

On Tue, Mar 4, 2008 at 3:05 AM, Abhishek Pratap Singh08
<Abhishek_Singh08@infosys.com> wrote:
>
>
>
>
> Hi All,
>
>                                 I need the guidelines of handling sql
> injection in iBatis. Any pdf or link will be very helpful.
>
>
>
> Regards,
>
> Abhishek
>
>
> **************** CAUTION - Disclaimer *****************
>  This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended
> solely for the use of the addressee(s). If you are not the intended
> recipient, please notify the sender by e-mail and delete the original
> message. Further, you are not to copy, disclose, or distribute this e-mail
> or its contents to any other person and any such actions are unlawful.
This
> e-mail may contain viruses. Infosys has taken every reasonable precaution
to
> minimize this risk, but is not liable for any damage you may sustain as a
> result of any virus in this e-mail. You should carry out your own virus
> checks before opening the e-mail or attachment. Infosys reserves the right
> to monitor and review the content of all messages sent to or from this
> e-mail address. Messages sent to or from this e-mail address may be stored
> on the Infosys e-mail system.
>  ***INFOSYS******** End of Disclaimer ********INFOSYS***
>


Mime
View raw message