The difference is that the driver is responsible for escaping the parameters, not your application. What that means in more proactical terms is that if the parameter is '1;drop table foo;--', then the query will fail, because it is not an integer.
So instead of dropping the table, a fairly harmless SQLException is thrown. Larry On 7/6/05, Pham Anh Tuan <[EMAIL PROTECTED]> wrote: > [ > select * from foo where id = ? > > ...then a second parameter is sent to the driver to tell it that the > value of the ? placeholder is 1. The parameter 1 is not used to modify > the SQL. > ] > > why does the solution above can protect us from SQL Injection problems? > because, I see that finally value of ? still be integer 1. > > Is there any magic when "...then a second parameter is sent to the driver > to tell it that the > value of the ? placeholder is 1" > > I don't understand :( > ----- Original Message ----- > From: "Larry Meadors" <[EMAIL PROTECTED]> > To: <user-java@ibatis.apache.org> > Sent: Wednesday, July 06, 2005 10:25 AM > Subject: Re: [HELP] Whether or not iBatis support SQL Injection? > > > > When you use this: > > > > <select id="good" resultMap="myResultMap"> > > select * from foo where id = #value# > > </select> > > > > ...and call it like this: > > > > MyBean b = (MyBean)sqlMap.queryForObject("good", new Integer(1)); > > > > ...iBATIS creates a prepared statement, so the SQL that goes to the > > database is: > > > > select * from foo where id = ? > > > > ...then a second parameter is sent to the driver to tell it that the > > value of the ? placeholder is 1. The parameter 1 is not used to modify > > the SQL. > > > > However, when you use this: > > > > <select id="bad" resultMap="myResultMap"> > > select * from foo where id = $value$ > > </select> > > > > ...and call it like this: > > > > MyBean b = (MyBean)sqlMap.queryForObject("bad", new Integer(1)); > > > > ...iBATIS creates a prepared statement, but the SQL that goes to the > > database is: > > > > select * from foo where id = 1 > > > > ...so the object passed in (the Integer in this case) is used to > > modify the SQL that is executed. This is where the danger is. > > > > Let's say instead of an integer, a String was passed in from a web > > page and the input was not checked. If the string was "1", that would > > be just fine. However, a user could send a string like this: "1;drop > > table foo;--", and instead of the query above, you would get this: > > > > select * from foo where id = 1;drop table foo;-- > > > > Oops! what happened to the foo table? > > > > If you can use the ## syntax, do. > > > > Larry > > > > > > On 7/5/05, Pham Anh Tuan <[EMAIL PROTECTED]> wrote: > >> oh, thanks all you :) > >> > >> but I don't understand clearly why when we use ## is more safe than using > >> $$. > >> > >> Is there any special things in using ## ??? > >> > >> help me! > >> ----- Original Message ----- > >> From: "Brandon Goodin" <[EMAIL PROTECTED]> > >> To: <user-java@ibatis.apache.org> > >> Sent: Tuesday, July 05, 2005 8:54 PM > >> Subject: Re: [HELP] Whether or not iBatis support SQL Injection? > >> > >> > >> > If you are using the #myProperty# delimiters you need not worry about > >> > sql injection. If you use the $myProperty$ literals you would need to > >> > guard against sql injection on your own. > >> > > >> > Brandon. > >> > > >> > On 7/5/05, Pham Anh Tuan <[EMAIL PROTECTED]> wrote: > >> >> > >> >> Hi all, > >> >> > >> >> I don't know whether or not iBatis support checking SQL Injection or > >> >> not > >> >> ? > >> >> > >> >> plz help me :) > >> >> > >> >> Pham > >> > > >> > > >> > >> > >> > > > > > > >