Thanks again Milivoj Yes, you are right, DescResultados is a string and contains that special character (and many other potentially). This should not be a problem if the command is build with parameters (I mean, ADO.NET parameter object). But, as I get a syntax exception, I realized that IBatis is concatenating strings to build the command, which is a big risk with the "sql injection" guys out there. I appreciate your effort Carlos Peix
_____ De: Milivoj Milani [mailto:[EMAIL PROTECTED] Enviado el: Lunes, 10 de Noviembre de 2008 10:43 a.m. Para: [email protected] Asunto: RE: MySql provider Hi Carlos, If I understood you correctly DescResultados is a string? Does it have special characters in it, like ' or \ ? Milivoj From: Carlos Peix [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2008 1:38 PM To: [email protected] Subject: RE: MySql provider Hi Milivoj, Thanks for your answer, of course I can add more info. Provider config: <provider name="MySql" description="MySQL, MySQL provider 1.0.9.0" enabled="true" assemblyName="MySql.Data, Version=1.0.9.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" connectionClass="MySql.Data.MySqlClient.MySqlConnection" commandClass="MySql.Data.MySqlClient.MySqlCommand" parameterClass="MySql.Data.MySqlClient.MySqlParameter" parameterDbTypeClass="MySql.Data.MySqlClient.MySqlDbType" parameterDbTypeProperty="MySqlDbType" dataAdapterClass="MySql.Data.MySqlClient.MySqlDataAdapter" commandBuilderClass="MySql.Data.MySqlClient.MySqlCommandBuilder" usePositionalParameters="false" useParameterPrefixInSql="true" useParameterPrefixInParameter="true" parameterPrefix="?" allowMARS="false" /> Command: <update id="UpdateInmueble" parameterClass="Inmueble"> UPDATE Inmuebles SET DescUbicacion = #DescUbicacion#, DescResultados = #DescResultados#, DescFicha = #DescFicha#, ... (other fields omitted) UltModificacion = SYSDATE() WHERE CodInmobiliaria = #CodInmobiliaria# AND CodInmueble = #CodInmueble# </update> parameterClass="Inmueble" where Inmueble is a POCO, the problem was with the DescResultados field (free text on the database) Thanks Carlos Peix _____ De: Milivoj Milani [mailto:[EMAIL PROTECTED] Enviado el: Lunes, 10 de Noviembre de 2008 09:46 a.m. Para: [email protected] Asunto: RE: MySql provider Can you give us an excerpt from your configuration files? It is hard to answer without it. From: Carlos Peix [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2008 12:43 PM To: [email protected] Subject: MySql provider Hi all, We are using DataMapper version 1.6.1.0 on Net 1.1 with the MySql.Data driver, version 1.0.10.x and MySql 5.x We are surprised because seems like IBatis, with that provider at least, is building the query concatenating strings. The error arose with a Incorrect syntax exception from MySql due to a single quote ( ' ) in the comment issued to the DB. We verified that the data had that character inside but it's supposed not to affect if the query is sent with parameters. Are we missing something? Why is IBatis not sending a command with parameters? it depends on provider configuration? The problem doesn't appear with the old ByteFX provider but it doesn't work with the new authentication in MySql 5.0 Thanks and have a nice week Carlos Peix
