Only if you control the value of sp_name very carefully. If someone can set it to "drop table order;--" you're screwed. :-)
Larry On 7/31/07, John Dahl <[EMAIL PROTECTED]> wrote: > > OK, I did it successfully with "$" operator. > One thing I would like to know is can we prevent sql injection in this case. > > Thank you for the solution. > > > John Dahl wrote: > > > > Ok, here is my requirement. I need to run different sp having different > > parameters. For eg. I need to run following sps > > 1) call generate_bill( #bill_id#) > > 2) call generate_invoice(#invoice_id, #start_date#, #end_date#) > > > > Can I create a single method in sql maps with dynamic tags (or > > programatically) so that the same method can be called to execute any of > > these sps. sp Name and parameter map need to be resolved only at run time. > > Is it possible with iBatis. > > > > Thanx in advance. > > > > -- > View this message in context: > http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11923238 > Sent from the iBATIS - User - Java mailing list archive at Nabble.com. > >
