-----------------------
侯欣杰 (kj021320)
Information Security
-----------------------
HI, I work for an B2B company and I use the ibatis to mapping the
sql
But, I know the $ in ibatis sqlmap is replace the string , this’
s unsaft
I usally use $ in the “orderby” , “group by “ or need dynamic
column
Like this :
Select * from table order by $column$
Because I can’t use like this
Select * from table order by #column:VARCHAR#
So I must be check it in the bean type to use the enum .
Can Ibatis add the METADATA type to help me stop the SQL INJECTION
in it
I must be extends the ibatis sqlmap engine now,
Select * from table order by $column:METADATA$
The native sql is
ORACLE MSSQL SYBASE :
Select * from table order by “ID”
MYSQL POSTGRESQL:
Select * from table order by `ID`
I think u can add this function in ibatis next version
Thanks all
