i would always prefer not to use '$'. else you will have to check what is sent in the '$' and make sure it is proper and what u want.
anyways i like the methods being different for your scenario regards ashok On 7/31/07, Larry Meadors <[EMAIL PROTECTED]> wrote: > > Only if you control the value of sp_name very carefully. If someone > can set it to "drop table order;--" you're screwed. :-) > > Larry > > > On 7/31/07, John Dahl <[EMAIL PROTECTED]> wrote: > > > > OK, I did it successfully with "$" operator. > > One thing I would like to know is can we prevent sql injection in this > case. > > > > Thank you for the solution. > > > > > > John Dahl wrote: > > > > > > Ok, here is my requirement. I need to run different sp having > different > > > parameters. For eg. I need to run following sps > > > 1) call generate_bill( #bill_id#) > > > 2) call generate_invoice(#invoice_id, #start_date#, #end_date#) > > > > > > Can I create a single method in sql maps with dynamic tags (or > > > programatically) so that the same method can be called to execute any > of > > > these sps. sp Name and parameter map need to be resolved only at run > time. > > > Is it possible with iBatis. > > > > > > Thanx in advance. > > > > > > > -- > > View this message in context: > http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11923238 > > Sent from the iBATIS - User - Java mailing list archive at Nabble.com. > > > > >
