ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris O'Connell" <oconn...@gorillachicago.com>
Subject Re: Using #PARAM# constructions within $DYNAMICSQL$
Date Wed, 29 Apr 2009 12:44:46 GMT
I sympathize with your problem.  Perhaps you could just build a set of sql
includes, each of which is the correct sql for a particular use case.  Then,
rather than building the sql string in your code, you instead just pass a
parameter into iBatis that it can use to determine which is the correct sql
include to use.  Then, you will be using ## for bind variables.
Now, if you have hundreds of these cases, or there is some complicated
algorithm that is build those 'where' clauses, then you might be out of
luck.  Your best bet in that case might be to write your own sql injection
cleaner for all input variables (not a bad idea in many cases, anyway, since
you already have to worry about cross site scripting, cross site request
forgery, css injections, etc. etc. :) ).

Chris

On Wed, Apr 29, 2009 at 3:13 AM, DelGurth <delgurth@gmail.com> wrote:

> On Wed, Apr 29, 2009 at 5:30 AM, Nathan Maves <nathan.maves@gmail.com>
> wrote:
> > I have not tried this but I don't see why it would not work.
> >
> >
> > SELECT * FROM person
> >  WHERE person.lastname LIKE '%'||#lastname#||'%'
> >
> > the || is the concat operator for oracle.  it might be something else in
> > another vendor
>
> Probably you misunderstood my question. I'm not trying to get
> #lastname# itself within my query.
>
> $$ placeholders and ## placeholders are normally parsed by iBatis.$$
> placeholders are just substituted with the value of the variable and
> ## placeholders are turned into bind variables. But if you put a ##
> placeholder _within_ the value of a $$ placeholder, iBatis doesn't
> parse the ## placeholder, so it doesn't substitute it for a bind
> variable.
>
> So I wish iBatis parsed the query twice, first to replace the $$
> placeholders and then to replace the ## placeholders _including_ the
> placeholders that where set within my $$ placeholder.
>
> Hope I made it more clearly now.
>
> Regards,
> Wessel
>



-- 
-- 
Chris O'Connell
Application Developer
Gorilla
312.243.8777 x19

Mime
View raw message