ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Maves <nathan.ma...@gmail.com>
Subject Re: Using #PARAM# constructions within $DYNAMICSQL$
Date Wed, 29 Apr 2009 03:30:56 GMT
I have not tried this but I don't see why it would not work.


SELECT * FROM person
 WHERE person.lastname LIKE '%'||#lastname#||'%'

the || is the concat operator for oracle.  it might be something else in
another vendor

On Tue, Apr 28, 2009 at 4:24 PM, DelGurth <delgurth@gmail.com> wrote:

> Hi,
>
> I was wondering if it was possible to use #PARAM# constructions within
> a $DYNAMICSQL$ query.I'm currently using iBatis sqlmap 2.3.0. And I'm
> trying to get the following to work:
>
> SELECT * FROM person
>  $DYNAMICSQL$
>
> With $DYNAMICSQL$ defined as: WHERE person.lastname LIKE '%#LASTNAME#%'
>
> So the query being send to the database will end up as:
>
> SELECT * FROM person
>  WHERE person.lastname LIKE '%?%'
>
> With that I hope the filter I'm creating is less prone to SQL
> Injection since the user data #LASTNAME# is still entered using bind
> variables and thus properly escaped.
>
> Just doing as above currently gives me #LASTNAME# within the query, so
> it doesn't seem to be working. But I was hoping I'm doing something
> wrong. Or is the $$ construction being parsed/replaced in the same run
> as the ## construction? And if that's the case, is there some way to
> change that behaviour of iBatis, or is there a reason you shouldn't
> want that?
>
> I hope you can help me.
>
> Regards,
> Wessel van Norel
>

Mime
View raw message