Yes, it does pass the SQL directly to the driver, but unless you use the $$ syntax for parameters, you should be safe with iBATIS.
The $$ syntax is the only part of iBATIS that allows string concatenation, which is the biggest source of SQL injection attacks. If you are using a really crappy jdbc driver, you could have issues with it somehow botching things in it's implementation of prepared statements, but I have not heard of a single case of that happening. Larry On 7/5/05, Fabrizio Gianneschi <[EMAIL PROTECTED]> wrote: > > Since iBatis uses PreparedStatements a lot, it's safer than old school JDBC > code, even if it's still vulnerable because it passes the SQL directly to > the driver without checking, afaik. You can always use some good tricks to > increase the robustness of your SQL, but... > > ...this type of checking is not responsibility of a SQL mapper layer like > iBATIS. > I think you should check your user input in higher server side layers, such > as the presentation one; Struts Actions and/or ActionForms, for example. > > Fab > > ________________________________ > Da: Pham Anh Tuan [mailto:[EMAIL PROTECTED] > Inviato: martedì 5 luglio 2005 12.16 > A: iBatis > Oggetto: [HELP] Whether or not iBatis support SQL Injection? > > > > Hi all, > > I don't know whether or not iBatis support checking SQL Injection or not ? > > plz help me :) > > Pham