If you use a parameterMap, use question marks (?). If you use a parameterClass, then use hash marks (#id#, etc.). In your case, use question marks.
Jeff Butler On Sun, Mar 29, 2009 at 8:35 PM, a.rubalcaba <a.rubalc...@yahoo.com> wrote: > > So what parameter marks should I be using? > > > > Larry Meadors wrote: >> >> Yikes, be careful with that thing, it's loaded. ;-) >> >> $variable$ does substitution, so should really only be used as an >> absolute last resort because of the SQL injection risk. >> >> Also, this statement will be sent to the database with no parameters, >> because they are all being substituted in. >> >> For example, if you did "insert into blah (col1, col2) values ($val1$, >> $val2$)" where val1 = 12 and val2 = '34'... >> >> The database doesn't get this: "insert into blah (col1, col2) values (?, >> ?)". >> >> It gets "insert into blah (col1, col2) values (12, '34')" instead. >> >> In your case, you are then trying to set parameters on it, but there >> are no parameter markers, so you get "Invalid column index". >> >> Further, if val2 is '34;drop table blah;--', you just inserted a >> record, then dropped the table. When that happens in a live app, you >> better hope you have a recent resume. :-D >> >> Larry >> >> > > -- > View this message in context: > http://www.nabble.com/Ibatis-CLOB-Support-tp22745185p22775019.html > Sent from the iBATIS - User - Java mailing list archive at Nabble.com. > >