Running dynamic sp

[John Dahl <cl...@gmail.com>]

Ok, here is my requirement. I need to run different sp having different
parameters. For eg. I need to run following sps
1) call generate_bill( #bill_id#)
2) call generate_invoice(#invoice_id, #start_date#, #end_date#)

Can I create a single method in sql methods with dynamic tags so that the
same method can be called to execute any of these sps. sp Name and parameter
map need to be resolved only at run time. Is it possible with iBatis.

Thanx in advance.
-- 
View this message in context: http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11850587
Sent from the iBATIS - User - Java mailing list archive at Nabble.com.

Re: Running dynamic sp

[Zoran Avtarovski <zo...@sparecreative.com>]

The way we got around the risk of malicious users was to run $query$ using a
separate db connection where the user for that connection only had read
priviledges.

Saves a lot of angst.

Z.

> 
> I can't avoid using $ in my case as I need a method to run any sp with
> varying no of parameters. Anyway thanks guys for the solution and
> suggestions.
> 
> 
> Ashok Madhavan wrote:
>> 
>> i would always prefer not to use '$'. else you will have to check what is
>> sent in the '$' and make sure it is proper and what u want.
>> 
>> anyways i like the methods being different for your scenario
>> 
>> regards
>> ashok
>> 
>> On 7/31/07, Larry Meadors <lm...@apache.org> wrote:
>>> 
>>> Only if you control the value of sp_name very carefully. If someone
>>> can set it to "drop table order;--" you're screwed. :-)
>>> 
>>> Larry
>>> 
>>> 
>>> On 7/31/07, John Dahl <cl...@gmail.com> wrote:
>>>> 
>>>> OK, I did it successfully with "$" operator.
>>>> One thing I would like to know is can we prevent sql injection in this
>>> case.
>>>> 
>>>> Thank you for the solution.
>>>> 
>>>> 
>>>> John Dahl wrote:
>>>>> 
>>>>> Ok, here is my requirement. I need to run different sp having
>>> different
>>>>> parameters. For eg. I need to run following sps
>>>>> 1) call generate_bill( #bill_id#)
>>>>> 2) call generate_invoice(#invoice_id, #start_date#, #end_date#)
>>>>> 
>>>>> Can I create a single method in sql maps with dynamic tags (or
>>>>> programatically) so that the same method can be called to execute any
>>> of
>>>>> these sps. sp Name and parameter map need to be resolved only at run
>>> time.
>>>>> Is it possible with iBatis.
>>>>> 
>>>>> Thanx in advance.
>>>>> 
>>>> 
>>>> --
>>>> View this message in context:
>>> http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11923238
>>>> Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
>>>> 
>>>> 
>>> 
>> 
>> 

Re: Running dynamic sp

[John Dahl <cl...@gmail.com>]

I can't avoid using $ in my case as I need a method to run any sp with
varying no of parameters. Anyway thanks guys for the solution and
suggestions.


Ashok Madhavan wrote:
> 
> i would always prefer not to use '$'. else you will have to check what is
> sent in the '$' and make sure it is proper and what u want.
> 
> anyways i like the methods being different for your scenario
> 
> regards
> ashok
> 
> On 7/31/07, Larry Meadors <lm...@apache.org> wrote:
>>
>> Only if you control the value of sp_name very carefully. If someone
>> can set it to "drop table order;--" you're screwed. :-)
>>
>> Larry
>>
>>
>> On 7/31/07, John Dahl <cl...@gmail.com> wrote:
>> >
>> > OK, I did it successfully with "$" operator.
>> > One thing I would like to know is can we prevent sql injection in this
>> case.
>> >
>> > Thank you for the solution.
>> >
>> >
>> > John Dahl wrote:
>> > >
>> > > Ok, here is my requirement. I need to run different sp having
>> different
>> > > parameters. For eg. I need to run following sps
>> > > 1) call generate_bill( #bill_id#)
>> > > 2) call generate_invoice(#invoice_id, #start_date#, #end_date#)
>> > >
>> > > Can I create a single method in sql maps with dynamic tags (or
>> > > programatically) so that the same method can be called to execute any
>> of
>> > > these sps. sp Name and parameter map need to be resolved only at run
>> time.
>> > > Is it possible with iBatis.
>> > >
>> > > Thanx in advance.
>> > >
>> >
>> > --
>> > View this message in context:
>> http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11923238
>> > Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
>> >
>> >
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11941917
Sent from the iBATIS - User - Java mailing list archive at Nabble.com.

Re: Running dynamic sp

[Ashok Madhavan <as...@gmail.com>]

i would always prefer not to use '$'. else you will have to check what is
sent in the '$' and make sure it is proper and what u want.

anyways i like the methods being different for your scenario

regards
ashok

On 7/31/07, Larry Meadors <lm...@apache.org> wrote:
>
> Only if you control the value of sp_name very carefully. If someone
> can set it to "drop table order;--" you're screwed. :-)
>
> Larry
>
>
> On 7/31/07, John Dahl <cl...@gmail.com> wrote:
> >
> > OK, I did it successfully with "$" operator.
> > One thing I would like to know is can we prevent sql injection in this
> case.
> >
> > Thank you for the solution.
> >
> >
> > John Dahl wrote:
> > >
> > > Ok, here is my requirement. I need to run different sp having
> different
> > > parameters. For eg. I need to run following sps
> > > 1) call generate_bill( #bill_id#)
> > > 2) call generate_invoice(#invoice_id, #start_date#, #end_date#)
> > >
> > > Can I create a single method in sql maps with dynamic tags (or
> > > programatically) so that the same method can be called to execute any
> of
> > > these sps. sp Name and parameter map need to be resolved only at run
> time.
> > > Is it possible with iBatis.
> > >
> > > Thanx in advance.
> > >
> >
> > --
> > View this message in context:
> http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11923238
> > Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
> >
> >
>

Re: Running dynamic sp

[Larry Meadors <lm...@apache.org>]

Only if you control the value of sp_name very carefully. If someone
can set it to "drop table order;--" you're screwed. :-)

Larry


On 7/31/07, John Dahl <cl...@gmail.com> wrote:
>
> OK, I did it successfully with "$" operator.
> One thing I would like to know is can we prevent sql injection in this case.
>
> Thank you for the solution.
>
>
> John Dahl wrote:
> >
> > Ok, here is my requirement. I need to run different sp having different
> > parameters. For eg. I need to run following sps
> > 1) call generate_bill( #bill_id#)
> > 2) call generate_invoice(#invoice_id, #start_date#, #end_date#)
> >
> > Can I create a single method in sql maps with dynamic tags (or
> > programatically) so that the same method can be called to execute any of
> > these sps. sp Name and parameter map need to be resolved only at run time.
> > Is it possible with iBatis.
> >
> > Thanx in advance.
> >
>
> --
> View this message in context: http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11923238
> Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
>
>

Re: Running dynamic sp

[John Dahl <cl...@gmail.com>]

OK, I did it successfully with "$" operator.
One thing I would like to know is can we prevent sql injection in this case.

Thank you for the solution.


John Dahl wrote:
> 
> Ok, here is my requirement. I need to run different sp having different
> parameters. For eg. I need to run following sps
> 1) call generate_bill( #bill_id#)
> 2) call generate_invoice(#invoice_id, #start_date#, #end_date#)
> 
> Can I create a single method in sql maps with dynamic tags (or
> programatically) so that the same method can be called to execute any of
> these sps. sp Name and parameter map need to be resolved only at run time.
> Is it possible with iBatis.
> 
> Thanx in advance.
> 

-- 
View this message in context: http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11923238
Sent from the iBATIS - User - Java mailing list archive at Nabble.com.

Re: Running dynamic sp

[John Dahl <cl...@gmail.com>]

Thank you for the response. Can we use the same '$' technique to resolve the
parameters which are varying in both sps?


Ashok Madhavan wrote:
> 
> you can use the '$' parameters to send in stuff. Main thing to take into
> account for '$' is sql injection.
> 
> call $sp_name$( #bill_id#)
> 
> but then those two remaining two different method makes sense.
> 
> regards
> ashok
> 
> On 7/29/07, John Dahl <cl...@gmail.com> wrote:
>>
>>
>> Ok, here is my requirement. I need to run different sp having different
>> parameters. For eg. I need to run following sps
>> 1) call generate_bill( #bill_id#)
>> 2) call generate_invoice(#invoice_id, #start_date#, #end_date#)
>>
>> Can I create a single method in sql methods with dynamic tags so that the
>> same method can be called to execute any of these sps. sp Name and
>> parameter
>> map need to be resolved only at run time. Is it possible with iBatis.
>>
>> Thanx in advance.
>> --
>> View this message in context:
>> http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11850587
>> Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
>>
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11859035
Sent from the iBATIS - User - Java mailing list archive at Nabble.com.

Re: Running dynamic sp

[Ashok Madhavan <as...@gmail.com>]

you can use the '$' parameters to send in stuff. Main thing to take into
account for '$' is sql injection.

call $sp_name$( #bill_id#)

but then those two remaining two different method makes sense.

regards
ashok

On 7/29/07, John Dahl <cl...@gmail.com> wrote:
>
>
> Ok, here is my requirement. I need to run different sp having different
> parameters. For eg. I need to run following sps
> 1) call generate_bill( #bill_id#)
> 2) call generate_invoice(#invoice_id, #start_date#, #end_date#)
>
> Can I create a single method in sql methods with dynamic tags so that the
> same method can be called to execute any of these sps. sp Name and
> parameter
> map need to be resolved only at run time. Is it possible with iBatis.
>
> Thanx in advance.
> --
> View this message in context:
> http://www.nabble.com/Running-dynamic-sp-tf4165246.html#a11850587
> Sent from the iBATIS - User - Java mailing list archive at Nabble.com.
>
>