ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "a.rubalcaba" <a.rubalc...@yahoo.com>
Subject Re: Ibatis CLOB Support
Date Mon, 30 Mar 2009 01:35:17 GMT

So what parameter marks should I be using?



Larry Meadors wrote:
> 
> Yikes, be careful with that thing, it's loaded. ;-)
> 
> $variable$ does substitution, so should really only be used as an
> absolute last resort because of the SQL injection risk.
> 
> Also, this statement will be sent to the database with no parameters,
> because they are all being substituted in.
> 
> For example, if you did "insert into blah (col1, col2) values ($val1$,
> $val2$)" where val1 = 12 and val2 = '34'...
> 
> The database doesn't get this: "insert into blah (col1, col2) values (?,
> ?)".
> 
> It gets "insert into blah (col1, col2) values (12, '34')" instead.
> 
> In your case, you are then trying to set parameters on it, but there
> are no parameter markers, so you get "Invalid column index".
> 
> Further, if val2 is '34;drop table blah;--', you just inserted a
> record, then dropped the table. When that happens in a live app, you
> better hope you have a recent resume. :-D
> 
> Larry
> 
> 

-- 
View this message in context: http://www.nabble.com/Ibatis-CLOB-Support-tp22745185p22775019.html
Sent from the iBATIS - User - Java mailing list archive at Nabble.com.


Mime
View raw message