You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user-java@ibatis.apache.org by mfs <fa...@gmail.com> on 2008/05/12 10:13:31 UTC
PreparedStatement for procedure calls ?
Guys,
My understanding is that ibatis internally uses preparedstatement for all db
calls, which offcourse eliminates the sql-injection vulnerability (to some
extend atleast)..
Now, I haven't really played around with Preparedstatements much, thats why
putting up a pretty naive question.
Q. So does ibatis uses preparedStatements for procedure calls as well ? The
reason i ask so is because i am using Dynamic SQL in my stored procedures
(where even the column names are being dynamically generated)..so just had
fears of sql injection exploitation..and hence the above question...
Thanks in advance..
--
View this message in context: http://www.nabble.com/PreparedStatement-for-procedure-calls---tp17183213p17183213.html
Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
Re: PreparedStatement for procedure calls ?
Posted by mfs <fa...@gmail.com>.
thanks..
Clinton Begin wrote:
>
> It uses CallableStatements for procs. CallableStatements are
> PreparedStatements so it can still be said that iBATIS always uses
> PreparedStatements. :-)
>
> On Mon, May 12, 2008 at 11:48 AM, mfs <fa...@gmail.com> wrote:
>>
>> anyone..?
>>
>>
>> mfs wrote:
>> >
>> > Guys,
>> >
>> > My understanding is that ibatis internally uses preparedstatement for
>> all
>> > db calls, which offcourse eliminates the sql-injection vulnerability
>> (to
>> > some extend atleast)..
>> >
>> > Now, I haven't really played around with Preparedstatements much,
>> thats
>> > why putting up a pretty naive question.
>> >
>> > Q. So does ibatis uses preparedStatements for procedure calls as well
>> ?
>> > The reason i ask so is because i am using Dynamic SQL in my stored
>> > procedures (where even the column names are being dynamically
>> > generated)..so just had fears of sql injection exploitation..and hence
>> the
>> > above question...
>> >
>> > Thanks in advance..
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/PreparedStatement-for-procedure-calls---tp17183213p17189901.html
>>
>>
>> Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://www.nabble.com/PreparedStatement-for-procedure-calls---tp17183213p17199044.html
Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
Re: PreparedStatement for procedure calls ?
Posted by Clinton Begin <cl...@gmail.com>.
It uses CallableStatements for procs. CallableStatements are
PreparedStatements so it can still be said that iBATIS always uses
PreparedStatements. :-)
On Mon, May 12, 2008 at 11:48 AM, mfs <fa...@gmail.com> wrote:
>
> anyone..?
>
>
> mfs wrote:
> >
> > Guys,
> >
> > My understanding is that ibatis internally uses preparedstatement for all
> > db calls, which offcourse eliminates the sql-injection vulnerability (to
> > some extend atleast)..
> >
> > Now, I haven't really played around with Preparedstatements much, thats
> > why putting up a pretty naive question.
> >
> > Q. So does ibatis uses preparedStatements for procedure calls as well ?
> > The reason i ask so is because i am using Dynamic SQL in my stored
> > procedures (where even the column names are being dynamically
> > generated)..so just had fears of sql injection exploitation..and hence the
> > above question...
> >
> > Thanks in advance..
> >
> >
>
> --
> View this message in context: http://www.nabble.com/PreparedStatement-for-procedure-calls---tp17183213p17189901.html
>
>
> Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
>
>
Re: PreparedStatement for procedure calls ?
Posted by mfs <fa...@gmail.com>.
anyone..?
mfs wrote:
>
> Guys,
>
> My understanding is that ibatis internally uses preparedstatement for all
> db calls, which offcourse eliminates the sql-injection vulnerability (to
> some extend atleast)..
>
> Now, I haven't really played around with Preparedstatements much, thats
> why putting up a pretty naive question.
>
> Q. So does ibatis uses preparedStatements for procedure calls as well ?
> The reason i ask so is because i am using Dynamic SQL in my stored
> procedures (where even the column names are being dynamically
> generated)..so just had fears of sql injection exploitation..and hence the
> above question...
>
> Thanks in advance..
>
>
--
View this message in context: http://www.nabble.com/PreparedStatement-for-procedure-calls---tp17183213p17189901.html
Sent from the iBATIS - User - Java mailing list archive at Nabble.com.