ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Poitras Christian <Christian.Poit...@ircm.qc.ca>
Subject RE: Regarding SQL injection chaniging SELECT QUERY
Date Tue, 04 Mar 2008 15:03:34 GMT
Hi,

Select * from table where column LIKE CONCAT(#value#, '%')

Christian

-----Original Message-----
From: Abhishek Pratap Singh08 [mailto:Abhishek_Singh08@infosys.com]
Sent: Tuesday, March 04, 2008 10:01 AM
To: user-java@ibatis.apache.org
Subject: Regarding SQL injection chaniging SELECT QUERY


Hi Again,

Suppose I have a query

Select * from table where column LIKE '$value$%'

Can be changed to
select * from table where column LIKE #value# || '%'

but this works on ORACLE....

what is the work around for MySQL?


Regards,
Abhishek

-----Original Message-----
From: Larry Meadors [mailto:larry.meadors@gmail.com]
Sent: Tuesday, March 04, 2008 6:18 PM
To: user-java@ibatis.apache.org
Subject: Re: Regarding SQL injection

Chapter 1

Don't use the replacement ($property$) syntax unless you scrub the input.

The end.

:-)

Larry

On Tue, Mar 4, 2008 at 3:05 AM, Abhishek Pratap Singh08 <Abhishek_Singh08@infosys.com>
wrote:
>
>
>
>
> Hi All,
>
>                                 I need the guidelines of handling sql
> injection in iBatis. Any pdf or link will be very helpful.
>
>
>
> Regards,
>
> Abhishek
>
>
> **************** CAUTION - Disclaimer *****************  This e-mail
> contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for
> the use of the addressee(s). If you are not the intended recipient,
> please notify the sender by e-mail and delete the original message.
> Further, you are not to copy, disclose, or distribute this e-mail or
> its contents to any other person and any such actions are unlawful.
> This e-mail may contain viruses. Infosys has taken every reasonable
> precaution to minimize this risk, but is not liable for any damage you
> may sustain as a result of any virus in this e-mail. You should carry
> out your own virus checks before opening the e-mail or attachment.
> Infosys reserves the right to monitor and review the content of all
> messages sent to or from this e-mail address. Messages sent to or from
> this e-mail address may be stored on the Infosys e-mail system.
>  ***INFOSYS******** End of Disclaimer ********INFOSYS***
>

Mime
View raw message