On Wed, Apr 29, 2009 at 12:24 AM, DelGurth <delgu...@gmail.com> wrote: > Hi, > > I was wondering if it was possible to use #PARAM# constructions within > a $DYNAMICSQL$ query.I'm currently using iBatis sqlmap 2.3.0. And I'm > trying to get the following to work: > > SELECT * FROM person > $DYNAMICSQL$ > > With $DYNAMICSQL$ defined as: WHERE person.lastname LIKE '%#LASTNAME#%' > > So the query being send to the database will end up as: > > SELECT * FROM person > WHERE person.lastname LIKE '%?%' > > With that I hope the filter I'm creating is less prone to SQL > Injection since the user data #LASTNAME# is still entered using bind > variables and thus properly escaped. > > Just doing as above currently gives me #LASTNAME# within the query, so > it doesn't seem to be working. But I was hoping I'm doing something > wrong. Or is the $$ construction being parsed/replaced in the same run > as the ## construction? And if that's the case, is there some way to > change that behaviour of iBatis, or is there a reason you shouldn't > want that? > > I hope you can help me. > > Regards, > Wessel van Norel >
We have been working on a solution for our problem. The general idea is to add an extra attribute to the <dynamic> tag, "deferSubstitutions". If you specify it with true, the ## substitutions are done after the $$ substitutions. With this we can make it work with minimal changes to iBatis and keeping it backwards compatible. The question now is, should we propose this change to iBatis, and if so how to do that? I'll apply the patch we made to this message, so you can see what we have changed. Regards, Wessel P.s. this patch has been created on iBatis 2.3.0, not HEAD.
ibatis.patch
Description: Binary data
