Return-Path: Delivered-To: apmail-ibatis-user-java-archive@www.apache.org Received: (qmail 63718 invoked from network); 29 Apr 2009 03:31:47 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 29 Apr 2009 03:31:47 -0000 Received: (qmail 64240 invoked by uid 500); 29 Apr 2009 03:31:46 -0000 Delivered-To: apmail-ibatis-user-java-archive@ibatis.apache.org Received: (qmail 64166 invoked by uid 500); 29 Apr 2009 03:31:45 -0000 Mailing-List: contact user-java-help@ibatis.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user-java@ibatis.apache.org Delivered-To: mailing list user-java@ibatis.apache.org Received: (qmail 64156 invoked by uid 99); 29 Apr 2009 03:31:45 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Apr 2009 03:31:45 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of nathan.maves@gmail.com designates 209.85.128.184 as permitted sender) Received: from [209.85.128.184] (HELO fk-out-0910.google.com) (209.85.128.184) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Apr 2009 03:31:36 +0000 Received: by fk-out-0910.google.com with SMTP id f40so406911fka.0 for ; Tue, 28 Apr 2009 20:31:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type; bh=ljFS12kq6sMJnYKjghxN8mmW5ZnwsKqIivXLn0+neh4=; b=agHKin30N9ERH+VyAntcJaON0msebJ8rRhg4DXZiJQIrihSypyT4hNYNelhXqKNim6 rSgx6YYJH1Bf6iA8q6P3P6wLjWzpkk3dSXdLN5XxxUX/u9E+XAXOb8iWx+25FG7iSalX 6Lh10XrWMVyfrotcyjV/257uu2xqODPEKuzRE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=IGCVaGXvGLKYk6hUB/J0axK4/0aIth/03sWYq189idlNZkAjbIM71NtQyRwwRknnrw a0Udcua4CnCmYhwmKZnDGiftraguahAzjpdAe166HEa2iaRpd2k+X2S1wQ8K5z6v4Esr ixNgLXvy9IkkJwoUP8k33g9gDFLHuZOX8yhTs= MIME-Version: 1.0 Received: by 10.239.159.142 with SMTP id y14mr391358hbc.50.1240975876104; Tue, 28 Apr 2009 20:31:16 -0700 (PDT) In-Reply-To: <10268b3e0904281524q19b6bdc6tf72535fabc780de6@mail.gmail.com> References: <10268b3e0904281524q19b6bdc6tf72535fabc780de6@mail.gmail.com> From: Nathan Maves Date: Tue, 28 Apr 2009 21:30:56 -0600 Message-ID: <2f55db670904282030o66f04b3ei1b8881a0a9f76cc9@mail.gmail.com> Subject: Re: Using #PARAM# constructions within $DYNAMICSQL$ To: user-java@ibatis.apache.org Content-Type: multipart/alternative; boundary=001485f27f5c45240e0468a93665 X-Virus-Checked: Checked by ClamAV on apache.org --001485f27f5c45240e0468a93665 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit I have not tried this but I don't see why it would not work. SELECT * FROM person WHERE person.lastname LIKE '%'||#lastname#||'%' the || is the concat operator for oracle. it might be something else in another vendor On Tue, Apr 28, 2009 at 4:24 PM, DelGurth wrote: > Hi, > > I was wondering if it was possible to use #PARAM# constructions within > a $DYNAMICSQL$ query.I'm currently using iBatis sqlmap 2.3.0. And I'm > trying to get the following to work: > > SELECT * FROM person > $DYNAMICSQL$ > > With $DYNAMICSQL$ defined as: WHERE person.lastname LIKE '%#LASTNAME#%' > > So the query being send to the database will end up as: > > SELECT * FROM person > WHERE person.lastname LIKE '%?%' > > With that I hope the filter I'm creating is less prone to SQL > Injection since the user data #LASTNAME# is still entered using bind > variables and thus properly escaped. > > Just doing as above currently gives me #LASTNAME# within the query, so > it doesn't seem to be working. But I was hoping I'm doing something > wrong. Or is the $$ construction being parsed/replaced in the same run > as the ## construction? And if that's the case, is there some way to > change that behaviour of iBatis, or is there a reason you shouldn't > want that? > > I hope you can help me. > > Regards, > Wessel van Norel > --001485f27f5c45240e0468a93665 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I have not tried this but I don't see why it would not work.

SELECT * FROM person
=C2=A0WHERE person.lastname LIKE '%'||#lastname#||'%'
the || is the concat operator for oracle.=C2=A0 it might be something els= e in another vendor

On Tue, Apr 28, 2009 = at 4:24 PM, DelGurth <delgurth@gmail.com> wrote:
Hi,

I was wondering if it was possible to use #PARAM# constructions within
a $DYNAMICSQL$ query.I'm currently using iBatis sqlmap 2.3.0. And I'= ;m
trying to get the following to work:

SELECT * FROM person
=C2=A0$DYNAMICSQL$

With $DYNAMICSQL$ defined as: WHERE person.lastname LIKE '%#LASTNAME#%&= #39;

So the query being send to the database will end up as:

SELECT * FROM person
=C2=A0WHERE person.lastname LIKE '%?%'

With that I hope the filter I'm creating is less prone to SQL
Injection since the user data #LASTNAME# is still entered using bind
variables and thus properly escaped.

Just doing as above currently gives me #LASTNAME# within the query, so
it doesn't seem to be working. But I was hoping I'm doing something=
wrong. Or is the $$ construction being parsed/replaced in the same run
as the ## construction? And if that's the case, is there some way to change that behaviour of iBatis, or is there a reason you shouldn't
want that?

I hope you can help me.

Regards,
Wessel van Norel

--001485f27f5c45240e0468a93665--