: Pham Anh Tuan [mailto:[EMAIL PROTECTED]] Inviato: martedì 5 luglio 2005
12.16 A: iBatis Oggetto: [HELP] Whether or not iBatis support SQL Injection? Hi all, I don't know whether or not iBatis support checking SQL Injection
or not ? plz help me :) Pham
, 2005 10:25 AM
Subject: Re: [HELP] Whether or not iBatis support SQL Injection?
When you use this:
select id=good resultMap=myResultMap
select * from foo where id = #value#
/select
...and call it like this:
MyBean b = (MyBean)sqlMap.queryForObject(good, new Integer(1));
...iBATIS creates
-
From: Larry Meadors [EMAIL PROTECTED]
To: user-java@ibatis.apache.org
Sent: Wednesday, July 06, 2005 10:25 AM
Subject: Re: [HELP] Whether or not iBatis support SQL Injection?
When you use this:
select id=good resultMap=myResultMap
select * from foo where id = #value#
/select
-
From: Larry Meadors [EMAIL PROTECTED]
To: user-java@ibatis.apache.org
Sent: Wednesday, July 06, 2005 1:48 PM
Subject: Re: [HELP] Whether or not iBatis support SQL Injection?
The difference is that the driver is responsible for escaping the
parameters, not your application. What that means
@ibatis.apache.org
Sent: Wednesday, July 06, 2005 1:48 PM
Subject: Re: [HELP] Whether or not iBatis support SQL Injection?
The difference is that the driver is responsible for escaping the
parameters, not your application. What that means in more proactical
terms is that if the parameter is '1;drop table foo
If so, in another case, if another column named Name, data type is
Varchar(or String), we have sql like below:
select * from user where name = ?
and ? has value is 'bowl;drop table foo;--' ... what will happen, Larry ?
The query would be considered as
select * from user where name =
]
Onderwerp: Re: [HELP] Whether or not iBatis support SQL Injection?
Oh, wait a minute, Larry!
[
if the parameter is '1;drop table foo;--', then the
query will fail, because it is not an integer
]
As I guess, may be there's will be comparation between data type of the
column name Id with the data type
Oggetto: [HELP] Whether or not iBatis support SQL Injection?
Hi all,
I don't know whether or not iBatis support checking SQL Injection or not ?
plz help me :)
Pham
If you are using the #myProperty# delimiters you need not worry about
sql injection. If you use the $myProperty$ literals you would need to
guard against sql injection on your own.
Brandon.
On 7/5/05, Pham Anh Tuan [EMAIL PROTECTED] wrote:
Hi all,
I don't know whether or not iBatis
in using ## ???
help me!
- Original Message -
From: Brandon Goodin [EMAIL PROTECTED]
To: user-java@ibatis.apache.org
Sent: Tuesday, July 05, 2005 8:54 PM
Subject: Re: [HELP] Whether or not iBatis support SQL Injection?
If you are using the #myProperty# delimiters you need not worry
10 matches
Mail list logo