Hi, I was wondering if it was possible to use #PARAM# constructions within a $DYNAMICSQL$ query.I'm currently using iBatis sqlmap 2.3.0. And I'm trying to get the following to work:
SELECT * FROM person $DYNAMICSQL$ With $DYNAMICSQL$ defined as: WHERE person.lastname LIKE '%#LASTNAME#%' So the query being send to the database will end up as: SELECT * FROM person WHERE person.lastname LIKE '%?%' With that I hope the filter I'm creating is less prone to SQL Injection since the user data #LASTNAME# is still entered using bind variables and thus properly escaped. Just doing as above currently gives me #LASTNAME# within the query, so it doesn't seem to be working. But I was hoping I'm doing something wrong. Or is the $$ construction being parsed/replaced in the same run as the ## construction? And if that's the case, is there some way to change that behaviour of iBatis, or is there a reason you shouldn't want that? I hope you can help me. Regards, Wessel van Norel
