ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DelGurth <delgu...@gmail.com>
Subject Using #PARAM# constructions within $DYNAMICSQL$
Date Tue, 28 Apr 2009 22:24:11 GMT
Hi,

I was wondering if it was possible to use #PARAM# constructions within
a $DYNAMICSQL$ query.I'm currently using iBatis sqlmap 2.3.0. And I'm
trying to get the following to work:

SELECT * FROM person
 $DYNAMICSQL$

With $DYNAMICSQL$ defined as: WHERE person.lastname LIKE '%#LASTNAME#%'

So the query being send to the database will end up as:

SELECT * FROM person
 WHERE person.lastname LIKE '%?%'

With that I hope the filter I'm creating is less prone to SQL
Injection since the user data #LASTNAME# is still entered using bind
variables and thus properly escaped.

Just doing as above currently gives me #LASTNAME# within the query, so
it doesn't seem to be working. But I was hoping I'm doing something
wrong. Or is the $$ construction being parsed/replaced in the same run
as the ## construction? And if that's the case, is there some way to
change that behaviour of iBatis, or is there a reason you shouldn't
want that?

I hope you can help me.

Regards,
Wessel van Norel

Mime
View raw message