RE(1): Avoiding SQL injection when calling stored procedures

Tue, 20 Feb 2007 22:32:18 -0800 

Hi Jeff.

Is there no danger of SQL Injection even if the stored procedure  internally 
uses the parameters to dynamically construct a query? In other words, are the 
parameters actively escaped by iBATIS even if I use a '?' when calling an 
stored procedure?

Thanks in advance!

Arsalan Zaidi

----- Original message -----
From: "Jeff Butler" <[EMAIL PROTECTED]>
Date: 2/20/2007 1:12:46 PM
Subject: Re: Avoiding SQL injection when calling stored procedures

> There is no danger of SQL injection in the first example.  This is standard
> JDBC syntax for stored procedures.
> 
> You can use the # syntax if you want, but you can't use a parameter map.
> Use a parameter class instead, and you'll need to use the advance inline
> paramater syntax.  But you should know that iBATIS will turn each parameter
> into a question mark, so you get back to the same thing anyway.
> 
> Jeff Butler
> 
> 
> 
> On 2/20/07, Arsalan Zaidi <[EMAIL PROTECTED]> wrote:
> >
> >  Hi All.
> >
> > When I call a stored procedure in Oracle like below, it works just fine:
> >
> >     <parameterMap id="getTitles" class="map">
> >         <parameter property="applicationId"
> > jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN" />
> >         <parameter property="userId"
> > jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN" />
> >         <parameter property="o_titles_record_set"
> > jdbcType="ORACLECURSOR"    javaType="java.sql.ResultSet"     mode="OUT"
> >     resultMap="titles" />
> >         <parameter property="o_error_code"
> > jdbcType="VARCHAR"        javaType="java.lang.String"     mode="OUT" />
> >     </parameterMap>
> >     <!-- Calling the Stored procedure -->
> >     <procedure id="get_titles_proc" parameterMap="getTitles">
> >                 {  call ABC$$ECOM.get_titles( ?,?,?,? ) }
> >     </procedure>
> >
> > However, I think using '?' does not provide any protection from SQL
> > injection attacks. Converting the ? to # should do the trick. However, if I
> > were to try the following:
> >
> >     <parameterMap id="getTitles" class="map">
> >         <parameter property="applicationId"
> > jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN" />
> >         <parameter property="userId"
> > jdbcType="NUMERIC"         javaType="java.lang.Long"     mode="IN" />
> >         <parameter property="o_titles_record_set"
> > jdbcType="ORACLECURSOR"    javaType="java.sql.ResultSet"     mode="OUT"
> >     resultMap="titles" />
> >         <parameter property="o_error_code"
> > jdbcType="VARCHAR"        javaType="java.lang.String"     mode="OUT" />
> >     </parameterMap>
> >     <!-- Calling the Stored procedure -->
> >     <procedure id="get_titles_proc" parameterMap="getTitles">
> >                 {  call ABC$$ECOM.get_titles( #applicationId#,#userId#,
> > #o_titles_record_set#,#o_error_code# ) }
> >     </procedure>
> >
> >
> > I get an "Invalid Column Index" Exception.
> >
> > What am I doing wrong?
> >
> > Regards.
> >
> > --Arsalan
> >
> >
> >
> > Regards,
> >
> >
> >
> > Arsalan Zaidi
> >
> >
> >
>

Reply via email to