Subject: Re: RE(1): Avoiding SQL injection when calling stored procedures
>
> No.
>
> If your stored procedure constructs SQL from parameters, it is assumed
> that you know what you are doing and escape them.
>
> Larry
>
>
> On 2/20/07, [EMAIL PROTECTED] <[EMAIL PROTEC
No.
If your stored procedure constructs SQL from parameters, it is assumed
that you know what you are doing and escape them.
Larry
On 2/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Hi Jeff.
Is there no danger of SQL Injection even if the stored procedure internally
uses the paramet
Hi Jeff.
Is there no danger of SQL Injection even if the stored procedure internally
uses the parameters to dynamically construct a query? In other words, are the
parameters actively escaped by iBATIS even if I use a '?' when calling an
stored procedure?
Thanks in advance!
Arsalan Zaidi
--
