You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ibatis.apache.org by cb...@apache.org on 2009/12/06 00:10:06 UTC
svn commit: r887607 - in /ibatis/java/ibatis-3/trunk/ibatis-3-core/src:
main/java/org/apache/ibatis/builder/xml/dynamic/
test/java/org/apache/ibatis/submitted/cglib_lazy_error/
Author: cbegin
Date: Sat Dec 5 23:10:05 2009
New Revision: 887607
URL: http://svn.apache.org/viewvc?rev=887607&view=rev
Log:
ibatis 695 Problem when using ${param}. Works only for object parameters not for basic types
Modified:
ibatis/java/ibatis-3/trunk/ibatis-3-core/src/main/java/org/apache/ibatis/builder/xml/dynamic/TextSqlNode.java
ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/CglibNPETest.java
ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/Person.xml
ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/PersonMapper.java
Modified: ibatis/java/ibatis-3/trunk/ibatis-3-core/src/main/java/org/apache/ibatis/builder/xml/dynamic/TextSqlNode.java
URL: http://svn.apache.org/viewvc/ibatis/java/ibatis-3/trunk/ibatis-3-core/src/main/java/org/apache/ibatis/builder/xml/dynamic/TextSqlNode.java?rev=887607&r1=887606&r2=887607&view=diff
==============================================================================
--- ibatis/java/ibatis-3/trunk/ibatis-3-core/src/main/java/org/apache/ibatis/builder/xml/dynamic/TextSqlNode.java (original)
+++ ibatis/java/ibatis-3/trunk/ibatis-3-core/src/main/java/org/apache/ibatis/builder/xml/dynamic/TextSqlNode.java Sat Dec 5 23:10:05 2009
@@ -4,6 +4,7 @@
import org.apache.ibatis.ognl.Ognl;
import org.apache.ibatis.ognl.OgnlException;
import org.apache.ibatis.parsing.GenericTokenParser;
+import org.apache.ibatis.type.SimpleTypeRegistry;
public class TextSqlNode implements SqlNode {
private String text;
@@ -28,6 +29,12 @@
public String handleToken(String content) {
try {
+ Object parameter = context.getBindings().get("_parameter");
+ if (parameter == null) {
+ context.getBindings().put("value", null);
+ } else if (SimpleTypeRegistry.isSimpleType(parameter.getClass())) {
+ context.getBindings().put("value", parameter);
+ }
Object value = Ognl.getValue(content, context.getBindings());
return String.valueOf(value);
} catch (OgnlException e) {
Modified: ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/CglibNPETest.java
URL: http://svn.apache.org/viewvc/ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/CglibNPETest.java?rev=887607&r1=887606&r2=887607&view=diff
==============================================================================
--- ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/CglibNPETest.java (original)
+++ ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/CglibNPETest.java Sat Dec 5 23:10:05 2009
@@ -122,4 +122,17 @@
}
}
+ @Test
+ public void testSelectWithStringSQLInjection() {
+ SqlSession sqlSession = sqlSessionFactory.openSession();
+ try {
+ PersonMapper personMapper = sqlSession.getMapper(PersonMapper.class);
+ Person selected1 = personMapper.selectByStringId("1");
+ Assert.assertEquals(1,selected1.getId());
+
+ } finally {
+ sqlSession.close();
+ }
+ }
+
}
Modified: ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/Person.xml
URL: http://svn.apache.org/viewvc/ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/Person.xml?rev=887607&r1=887606&r2=887607&view=diff
==============================================================================
--- ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/Person.xml (original)
+++ ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/Person.xml Sat Dec 5 23:10:05 2009
@@ -27,6 +27,12 @@
WHERE id = #{id,jdbcType=INTEGER}
</select>
+ <select id="selectByStringId" resultMap="personMap" parameterType="String">
+ SELECT <include refid="columns"/>
+ FROM Person
+ WHERE id = ${value}
+ </select>
+
<insert id="insertPerson">
INSERT INTO person (id, firstName, lastName, parent)
VALUES (#{id}, #{firstName}, #{lastName}, null);
Modified: ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/PersonMapper.java
URL: http://svn.apache.org/viewvc/ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/PersonMapper.java?rev=887607&r1=887606&r2=887607&view=diff
==============================================================================
--- ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/PersonMapper.java (original)
+++ ibatis/java/ibatis-3/trunk/ibatis-3-core/src/test/java/org/apache/ibatis/submitted/cglib_lazy_error/PersonMapper.java Sat Dec 5 23:10:05 2009
@@ -3,6 +3,7 @@
public interface PersonMapper {
public Person selectById(int id);
+ public Person selectByStringId(String id);
public int insertPerson (Person person);
}