I have not tried this but I don't see why it would not work.
SELECT * FROM person WHERE person.lastname LIKE '%'||#lastname#||'%' the || is the concat operator for oracle. it might be something else in another vendor On Tue, Apr 28, 2009 at 4:24 PM, DelGurth <delgu...@gmail.com> wrote: > Hi, > > I was wondering if it was possible to use #PARAM# constructions within > a $DYNAMICSQL$ query.I'm currently using iBatis sqlmap 2.3.0. And I'm > trying to get the following to work: > > SELECT * FROM person > $DYNAMICSQL$ > > With $DYNAMICSQL$ defined as: WHERE person.lastname LIKE '%#LASTNAME#%' > > So the query being send to the database will end up as: > > SELECT * FROM person > WHERE person.lastname LIKE '%?%' > > With that I hope the filter I'm creating is less prone to SQL > Injection since the user data #LASTNAME# is still entered using bind > variables and thus properly escaped. > > Just doing as above currently gives me #LASTNAME# within the query, so > it doesn't seem to be working. But I was hoping I'm doing something > wrong. Or is the $$ construction being parsed/replaced in the same run > as the ## construction? And if that's the case, is there some way to > change that behaviour of iBatis, or is there a reason you shouldn't > want that? > > I hope you can help me. > > Regards, > Wessel van Norel >