ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Larry Meadors <larry.mead...@gmail.com>
Subject Re: Ibatis CLOB Support
Date Sun, 29 Mar 2009 17:12:48 GMT
Yikes, be careful with that thing, it's loaded. ;-)

$variable$ does substitution, so should really only be used as an
absolute last resort because of the SQL injection risk.

Also, this statement will be sent to the database with no parameters,
because they are all being substituted in.

For example, if you did "insert into blah (col1, col2) values ($val1$,
$val2$)" where val1 = 12 and val2 = '34'...

The database doesn't get this: "insert into blah (col1, col2) values (?, ?)".

It gets "insert into blah (col1, col2) values (12, '34')" instead.

In your case, you are then trying to set parameters on it, but there
are no parameter markers, so you get "Invalid column index".

Further, if val2 is '34;drop table blah;--', you just inserted a
record, then dropped the table. When that happens in a live app, you
better hope you have a recent resume. :-D

Larry

Mime
View raw message