Right, thanks for all you help! :-)
Regards,
Arsalan Zaidi
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
> Of Larry Meadors
> Sent: Wednesday, February 21, 2007 6:09 PM
> To: user-java@ibatis.apache.org; [EMAIL PROTECTED]
> Subject: Re: RE(1): Avoiding SQL injection when calling stored procedures
>
> No.
>
> If your stored procedure constructs SQL from parameters, it is assumed
> that you know what you are doing and escape them.
>
> Larry
>
>
> On 2/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> wrote:
> >
> > Hi Jeff.
> >
> > Is there no danger of SQL Injection even if the stored procedure
> internally uses the parameters to dynamically construct a query? In other
> words, are the parameters actively escaped by iBATIS even if I use a '?'
> when calling an stored procedure?
> >
> > Thanks in advance!
> >
> > Arsalan Zaidi
> >
> > ----- Original message -----
> > From: "Jeff Butler" <[EMAIL PROTECTED]>
> > Date: 2/20/2007 1:12:46 PM
> > Subject: Re: Avoiding SQL injection when calling stored procedures
> >
> > > There is no danger of SQL injection in the first example. This is
> standard
> > > JDBC syntax for stored procedures.
> > >
> > > You can use the # syntax if you want, but you can't use a parameter
> map.
> > > Use a parameter class instead, and you'll need to use the advance
> inline
> > > paramater syntax. But you should know that iBATIS will turn each
> parameter
> > > into a question mark, so you get back to the same thing anyway.
> > >
> > > Jeff Butler
> > >
> > >
> > >
> > > On 2/20/07, Arsalan Zaidi <[EMAIL PROTECTED]> wrote:
> > > >
> > > > Hi All.
> > > >
> > > > When I call a stored procedure in Oracle like below, it works just
> fine:
> > > >
> > > > <parameterMap id="getTitles" class="map">
> > > > <parameter property="applicationId"
> > > > jdbcType="NUMERIC" javaType="java.lang.Long" mode="IN"
> />
> > > > <parameter property="userId"
> > > > jdbcType="NUMERIC" javaType="java.lang.Long" mode="IN"
> />
> > > > <parameter property="o_titles_record_set"
> > > > jdbcType="ORACLECURSOR" javaType="java.sql.ResultSet"
> mode="OUT"
> > > > resultMap="titles" />
> > > > <parameter property="o_error_code"
> > > > jdbcType="VARCHAR" javaType="java.lang.String" mode="OUT"
> />
> > > > </parameterMap>
> > > > <!-- Calling the Stored procedure -->
> > > > <procedure id="get_titles_proc" parameterMap="getTitles">
> > > > { call ABC$$ECOM.get_titles( ?,?,?,? ) }
> > > > </procedure>
> > > >
> > > > However, I think using '?' does not provide any protection from SQL
> > > > injection attacks. Converting the ? to # should do the trick.
> However, if I
> > > > were to try the following:
> > > >
> > > > <parameterMap id="getTitles" class="map">
> > > > <parameter property="applicationId"
> > > > jdbcType="NUMERIC" javaType="java.lang.Long" mode="IN"
> />
> > > > <parameter property="userId"
> > > > jdbcType="NUMERIC" javaType="java.lang.Long" mode="IN"
> />
> > > > <parameter property="o_titles_record_set"
> > > > jdbcType="ORACLECURSOR" javaType="java.sql.ResultSet"
> mode="OUT"
> > > > resultMap="titles" />
> > > > <parameter property="o_error_code"
> > > > jdbcType="VARCHAR" javaType="java.lang.String" mode="OUT"
> />
> > > > </parameterMap>
> > > > <!-- Calling the Stored procedure -->
> > > > <procedure id="get_titles_proc" parameterMap="getTitles">
> > > > { call ABC$$ECOM.get_titles(
> #applicationId#,#userId#,
> > > > #o_titles_record_set#,#o_error_code# ) }
> > > > </procedure>
> > > >
> > > >
> > > > I get an "Invalid Column Index" Exception.
> > > >
> > > > What am I doing wrong?
> > > >
> > > > Regards.
> > > >
> > > > --Arsalan
> > > >
> > > >
> > > >
> > > > Regards,
> > > >
> > > >
> > > >
> > > > Arsalan Zaidi
> > > >
> > > >
> > > >
> > >
> >
