So what parameter marks should I be using?
Larry Meadors wrote: > > Yikes, be careful with that thing, it's loaded. ;-) > > $variable$ does substitution, so should really only be used as an > absolute last resort because of the SQL injection risk. > > Also, this statement will be sent to the database with no parameters, > because they are all being substituted in. > > For example, if you did "insert into blah (col1, col2) values ($val1$, > $val2$)" where val1 = 12 and val2 = '34'... > > The database doesn't get this: "insert into blah (col1, col2) values (?, > ?)". > > It gets "insert into blah (col1, col2) values (12, '34')" instead. > > In your case, you are then trying to set parameters on it, but there > are no parameter markers, so you get "Invalid column index". > > Further, if val2 is '34;drop table blah;--', you just inserted a > record, then dropped the table. When that happens in a live app, you > better hope you have a recent resume. :-D > > Larry > > -- View this message in context: http://www.nabble.com/Ibatis-CLOB-Support-tp22745185p22775019.html Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
