ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DelGurth <delgu...@gmail.com>
Subject Re: Using #PARAM# constructions within $DYNAMICSQL$
Date Tue, 05 May 2009 08:45:25 GMT
On Wed, Apr 29, 2009 at 12:24 AM, DelGurth <delgurth@gmail.com> wrote:
> Hi,
>
> I was wondering if it was possible to use #PARAM# constructions within
> a $DYNAMICSQL$ query.I'm currently using iBatis sqlmap 2.3.0. And I'm
> trying to get the following to work:
>
> SELECT * FROM person
>  $DYNAMICSQL$
>
> With $DYNAMICSQL$ defined as: WHERE person.lastname LIKE '%#LASTNAME#%'
>
> So the query being send to the database will end up as:
>
> SELECT * FROM person
>  WHERE person.lastname LIKE '%?%'
>
> With that I hope the filter I'm creating is less prone to SQL
> Injection since the user data #LASTNAME# is still entered using bind
> variables and thus properly escaped.
>
> Just doing as above currently gives me #LASTNAME# within the query, so
> it doesn't seem to be working. But I was hoping I'm doing something
> wrong. Or is the $$ construction being parsed/replaced in the same run
> as the ## construction? And if that's the case, is there some way to
> change that behaviour of iBatis, or is there a reason you shouldn't
> want that?
>
> I hope you can help me.
>
> Regards,
> Wessel van Norel
>

We have been working on a solution for our problem. The general idea
is to add an extra attribute to the <dynamic> tag,
"deferSubstitutions". If you specify it with true, the ##
substitutions are done after the $$ substitutions. With this we can
make it work with minimal changes to iBatis and keeping it backwards
compatible.

The question now is, should we propose this change to iBatis, and if
so how to do that?

I'll apply the patch we made to this message, so you can see what we
have changed.

Regards,
Wessel

P.s. this patch has been created on iBatis 2.3.0, not HEAD.

Mime
View raw message