ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alin Popa <alin.p...@gmail.com>
Subject Re: string substitution example/docs
Date Fri, 15 May 2009 21:08:31 GMT
Thanks Brandon,

I didn't know if I need to pass the literal in a special way, but it
seems that is pretty straight forward.
Regarding public access to that literal, of course, it's a private
place where this will be done.
My need for that string substitution is to add dynamic pieces of SQL
into already existing ones.

On Sat, May 16, 2009 at 12:02 AM, Brandon Goodin
<brandon.goodin@gmail.com> wrote:
> There isn't much to say. $blah$ is a literal whereas #blah# will convert to
> a ? for the prepared statement.
> say you have a property of id on Person and set its value to 1
> public class Person {
>   private Integer id;
>   //getter/setter
> }
> If you use the following syntax in your mapped statement:
> select name from person where id = #id#
> ibatis will convert the #id# to a ? for use in the prepared statement:
> select name from person where id = ?
> if on the other hand you used the $id$ ibatis would pass the following to
> the prepared statement
> select name from person where id = 1
> The obvious caution here is that the $literal$ syntax should never be
> utilized in a place that the public can alter it. You open yourself to SQL
> injection risks. In other words don't take a value that is passed in from a
> web page and assign it in your SQL as s literal.
> Brandon
> On Fri, May 15, 2009 at 3:52 PM, Alin Popa <alin.popa@gmail.com> wrote:
>> Hi,
>> There is a place where I can find some documentation/examples/links
>> related to string substitution in ibatis ? ($substitution$ thingy
>> ....)
>> In the official pdf documentation I didn't find anything about it;
>> also google didn't helped much.
>> Thanks,
>> Alin

Best Regards,


View raw message