To me this would be a huge issue. I'd look for a better driver. This is basic functionality...
From: Carlos Peix [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 11, 2008 9:29 AM To: [email protected] Subject: RE: MySql provider Hi Samuel, Yes, I think that you are right. I guess I have to escape some characters like ' (39) and \ (92). I there a way to do this in iBatis with some kind of interceptor at save time? Thanks Carlos Peix ________________________________ De: Clough, Samuel (USPC.PRG.Atlanta) [mailto:[EMAIL PROTECTED] Enviado el: Lunes, 10 de Noviembre de 2008 12:48 p.m. Para: [email protected] Asunto: RE: MySql provider I would expect this to be a driver issue, not an iBatis issue. From: Carlos Peix [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2008 9:40 AM To: [email protected] Subject: RE: MySql provider Hi Milivoj, Yes, IBatis should use parameters and probably this is the way it works in general. I really don't know what is happening, because, as I told in my first post, ByteFX provider seems to work properly with exactly the same mappings. I thing that I have to do my own debugging session. Thank you very much, I'll let you know the results Carlos Peix ________________________________ De: Milivoj Milani [mailto:[EMAIL PROTECTED] Enviado el: Lunes, 10 de Noviembre de 2008 12:25 p.m. Para: [email protected] Asunto: RE: MySql provider I understand. iBatis.NET is built using parameters, I did my own share of debugging and it really uses parameters, at least for Oracle database. Can you give me an example of SQL iBatis is creating? If all fails, maybe you could try using ParameterMap instead of ParameterClass. I know I used to have problems with ParameterClass, but I forgot what kind J. Try using parameterMap and see how it goes. Cheers, Milivoj From: Carlos Peix [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2008 3:02 PM To: [email protected] Subject: RE: MySql provider Thanks again Milivoj Yes, you are right, DescResultados is a string and contains that special character (and many other potentially). This should not be a problem if the command is build with parameters (I mean, ADO.NET parameter object). But, as I get a syntax exception, I realized that IBatis is concatenating strings to build the command, which is a big risk with the "sql injection" guys out there. I appreciate your effort Carlos Peix ________________________________ De: Milivoj Milani [mailto:[EMAIL PROTECTED] Enviado el: Lunes, 10 de Noviembre de 2008 10:43 a.m. Para: [email protected] Asunto: RE: MySql provider Hi Carlos, If I understood you correctly DescResultados is a string? Does it have special characters in it, like ' or \ ? Milivoj From: Carlos Peix [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2008 1:38 PM To: [email protected] Subject: RE: MySql provider Hi Milivoj, Thanks for your answer, of course I can add more info. Provider config: <provider name="MySql" description="MySQL, MySQL provider 1.0.9.0" enabled="true" assemblyName="MySql.Data, Version=1.0.9.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" connectionClass="MySql.Data.MySqlClient.MySqlConnection" commandClass="MySql.Data.MySqlClient.MySqlCommand" parameterClass="MySql.Data.MySqlClient.MySqlParameter" parameterDbTypeClass="MySql.Data.MySqlClient.MySqlDbType" parameterDbTypeProperty="MySqlDbType" dataAdapterClass="MySql.Data.MySqlClient.MySqlDataAdapter" commandBuilderClass="MySql.Data.MySqlClient.MySqlCommandBuilder" usePositionalParameters="false" useParameterPrefixInSql="true" useParameterPrefixInParameter="true" parameterPrefix="?" allowMARS="false" /> Command: <update id="UpdateInmueble" parameterClass="Inmueble"> UPDATE Inmuebles SET DescUbicacion = #DescUbicacion#, DescResultados = #DescResultados#, DescFicha = #DescFicha#, ... (other fields omitted) UltModificacion = SYSDATE() WHERE CodInmobiliaria = #CodInmobiliaria# AND CodInmueble = #CodInmueble# </update> parameterClass="Inmueble" where Inmueble is a POCO, the problem was with the DescResultados field (free text on the database) Thanks Carlos Peix ________________________________ De: Milivoj Milani [mailto:[EMAIL PROTECTED] Enviado el: Lunes, 10 de Noviembre de 2008 09:46 a.m. Para: [email protected] Asunto: RE: MySql provider Can you give us an excerpt from your configuration files? It is hard to answer without it. From: Carlos Peix [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2008 12:43 PM To: [email protected] Subject: MySql provider Hi all, We are using DataMapper version 1.6.1.0 on Net 1.1 with the MySql.Data driver, version 1.0.10.x and MySql 5.x We are surprised because seems like IBatis, with that provider at least, is building the query concatenating strings. The error arose with a Incorrect syntax exception from MySql due to a single quote ( ' ) in the comment issued to the DB. We verified that the data had that character inside but it's supposed not to affect if the query is sent with parameters. Are we missing something? Why is IBatis not sending a command with parameters? it depends on provider configuration? The problem doesn't appear with the old ByteFX provider but it doesn't work with the new authentication in MySql 5.0 Thanks and have a nice week Carlos Peix ________________________________ Princeton Retirement Group, Inc - Important Terms This E-mail is not intended for distribution to, or use by, any person or entity in any location where such distribution or use would be contrary to law or regulation, or which would subject Princeton Retirement Group, Inc. or any affiliate to any registration requirement within such location. This E-mail may contain privileged or confidential information or may otherwise be protected by work product immunity or other legal rules. No confidentiality or privilege is waived or lost by any mistransmission. Access, copying or re-use of information by non-intended or non-authorized recipients is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail. The transmission and content of this E-mail cannot be guaranteed to be secure or error-free. Therefore, we cannot represent that the information in this E-mail is complete, accurate, uncorrupted, timely or free of viruses, and Princeton Retirement Group, Inc. cannot accept any liability for E-mails that have been altered in the course of delivery. Princeton Retirement Group, Inc. reserves the right to monitor, review and retain all electronic communications, including E-mail, traveling through its networks and systems (subject to and in accordance with local laws). If any of your details are incorrect or if you no longer wish to receive mailings such as this by E-mail please contact the sender by reply E-mail. ________________________________
