No.
If your stored procedure constructs SQL from parameters, it is assumed
that you know what you are doing and escape them.
Larry
On 2/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Hi Jeff.
Is there no danger of SQL Injection even if the stored procedure internally
uses the parameters to dynamically construct a query? In other words, are the
parameters actively escaped by iBATIS even if I use a '?' when calling an
stored procedure?
Thanks in advance!
Arsalan Zaidi
----- Original message -----
From: "Jeff Butler" <[EMAIL PROTECTED]>
Date: 2/20/2007 1:12:46 PM
Subject: Re: Avoiding SQL injection when calling stored procedures
> There is no danger of SQL injection in the first example. This is standard
> JDBC syntax for stored procedures.
>
> You can use the # syntax if you want, but you can't use a parameter map.
> Use a parameter class instead, and you'll need to use the advance inline
> paramater syntax. But you should know that iBATIS will turn each parameter
> into a question mark, so you get back to the same thing anyway.
>
> Jeff Butler
>
>
>
> On 2/20/07, Arsalan Zaidi <[EMAIL PROTECTED]> wrote:
> >
> > Hi All.
> >
> > When I call a stored procedure in Oracle like below, it works just fine:
> >
> > <parameterMap id="getTitles" class="map">
> > <parameter property="applicationId"
> > jdbcType="NUMERIC" javaType="java.lang.Long" mode="IN" />
> > <parameter property="userId"
> > jdbcType="NUMERIC" javaType="java.lang.Long" mode="IN" />
> > <parameter property="o_titles_record_set"
> > jdbcType="ORACLECURSOR" javaType="java.sql.ResultSet" mode="OUT"
> > resultMap="titles" />
> > <parameter property="o_error_code"
> > jdbcType="VARCHAR" javaType="java.lang.String" mode="OUT" />
> > </parameterMap>
> > <!-- Calling the Stored procedure -->
> > <procedure id="get_titles_proc" parameterMap="getTitles">
> > { call ABC$$ECOM.get_titles( ?,?,?,? ) }
> > </procedure>
> >
> > However, I think using '?' does not provide any protection from SQL
> > injection attacks. Converting the ? to # should do the trick. However, if I
> > were to try the following:
> >
> > <parameterMap id="getTitles" class="map">
> > <parameter property="applicationId"
> > jdbcType="NUMERIC" javaType="java.lang.Long" mode="IN" />
> > <parameter property="userId"
> > jdbcType="NUMERIC" javaType="java.lang.Long" mode="IN" />
> > <parameter property="o_titles_record_set"
> > jdbcType="ORACLECURSOR" javaType="java.sql.ResultSet" mode="OUT"
> > resultMap="titles" />
> > <parameter property="o_error_code"
> > jdbcType="VARCHAR" javaType="java.lang.String" mode="OUT" />
> > </parameterMap>
> > <!-- Calling the Stored procedure -->
> > <procedure id="get_titles_proc" parameterMap="getTitles">
> > { call ABC$$ECOM.get_titles( #applicationId#,#userId#,
> > #o_titles_record_set#,#o_error_code# ) }
> > </procedure>
> >
> >
> > I get an "Invalid Column Index" Exception.
> >
> > What am I doing wrong?
> >
> > Regards.
> >
> > --Arsalan
> >
> >
> >
> > Regards,
> >
> >
> >
> > Arsalan Zaidi
> >
> >
> >
>
