[
select * from foo where id = ?
...then a second parameter is sent to the driver to tell it that the
value of the ? placeholder is 1. The parameter 1 is not used to modify
the SQL.
]
why does the solution above can protect us from SQL Injection problems?
because, I see that finally value of ? still be integer 1.
Is there any magic when "...then a second parameter is sent to the driver
to tell it that the
value of the ? placeholder is 1"
I don't understand :(
----- Original Message -----
From: "Larry Meadors" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, July 06, 2005 10:25 AM
Subject: Re: [HELP] Whether or not iBatis support SQL Injection?
When you use this:
<select id="good" resultMap="myResultMap">
select * from foo where id = #value#
</select>
...and call it like this:
MyBean b = (MyBean)sqlMap.queryForObject("good", new Integer(1));
...iBATIS creates a prepared statement, so the SQL that goes to the
database is:
select * from foo where id = ?
...then a second parameter is sent to the driver to tell it that the
value of the ? placeholder is 1. The parameter 1 is not used to modify
the SQL.
However, when you use this:
<select id="bad" resultMap="myResultMap">
select * from foo where id = $value$
</select>
...and call it like this:
MyBean b = (MyBean)sqlMap.queryForObject("bad", new Integer(1));
...iBATIS creates a prepared statement, but the SQL that goes to the
database is:
select * from foo where id = 1
...so the object passed in (the Integer in this case) is used to
modify the SQL that is executed. This is where the danger is.
Let's say instead of an integer, a String was passed in from a web
page and the input was not checked. If the string was "1", that would
be just fine. However, a user could send a string like this: "1;drop
table foo;--", and instead of the query above, you would get this:
select * from foo where id = 1;drop table foo;--
Oops! what happened to the foo table?
If you can use the ## syntax, do.
Larry
On 7/5/05, Pham Anh Tuan <[EMAIL PROTECTED]> wrote:
oh, thanks all you :)
but I don't understand clearly why when we use ## is more safe than using
$$.
Is there any special things in using ## ???
help me!
----- Original Message -----
From: "Brandon Goodin" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Tuesday, July 05, 2005 8:54 PM
Subject: Re: [HELP] Whether or not iBatis support SQL Injection?
> If you are using the #myProperty# delimiters you need not worry about
> sql injection. If you use the $myProperty$ literals you would need to
> guard against sql injection on your own.
>
> Brandon.
>
> On 7/5/05, Pham Anh Tuan <[EMAIL PROTECTED]> wrote:
>>
>> Hi all,
>>
>> I don't know whether or not iBatis support checking SQL Injection or
>> not
>> ?
>>
>> plz help me :)
>>
>> Pham
>
>
