I can't avoid using $ in my case as I need a method to run any sp with varying no of parameters. Anyway thanks guys for the solution and suggestions.
Ashok Madhavan wrote: > > i would always prefer not to use '$'. else you will have to check what is > sent in the '$' and make sure it is proper and what u want. > > anyways i like the methods being different for your scenario > > regards > ashok > > On 7/31/07, Larry Meadors <[EMAIL PROTECTED]> wrote: >> >> Only if you control the value of sp_name very carefully. If someone >> can set it to "drop table order;--" you're screwed. :-) >> >> Larry >> >> >> On 7/31/07, John Dahl <[EMAIL PROTECTED]> wrote: >> > >> > OK, I did it successfully with "$" operator. >> > One thing I would like to know is can we prevent sql injection in this >> case. >> > >> > Thank you for the solution. >> > >> > >> > John Dahl wrote: >> > > >> > > Ok, here is my requirement. I need to run different sp having >> different >> > > parameters. For eg. I need to run following sps >> > > 1) call generate_bill( #bill_id#) >> > > 2) call generate_invoice(#invoice_id, #start_date#, #end_date#) >> > > >> > > Can I create a single method in sql maps with dynamic tags (or >> > > programatically) so that the same method can be called to execute any >> of >> > > these sps. sp Name and parameter map need to be resolved only at run >> time. >> > > Is it possible with iBatis. >> > > >> > > Thanx in advance. >> > > >> > >> > -- >> > View this message in context: >> http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11923238 >> > Sent from the iBATIS - User - Java mailing list archive at Nabble.com. >> > >> > >> > > -- View this message in context: http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11941917 Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
