You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user-cs@ibatis.apache.org by oleksa borodie <ol...@gmail.com> on 2005/03/21 09:53:55 UTC

Integreate custom changes into trunk?

Hello. 

I''ve asked about poor performance with MS SQL sp_executesql procedure
and query with parameters. I've wrote some piece of code that will
test if there any parameters with names in the command.Parameters and
if so - replace paramter name with it value. The replace algorithm is
very simple. This procedure is calling after ApplyParameterMap in the
MappedStatement.CreatePreparedCommand.
 As far as I understood only MS SQL server has sp_executesql
performance luck. Is it possible in the runtime to know - what
database is iBATIS work with?
 Should this code be implemented into the trunk?

[code]
		/// <summary>
		/// replace parameter names with parameter values
		/// only for parameters with names, parameterMaps will be igonred
		/// </summary>
		/// <param name="session"></param>
		/// <param name="command"></param>
		private void EmbedParameters(IDalSession session, IDbCommand command)
		{
			IDataParameter p;
			for(int i = command.Parameters.Count - 1; i >= 0; i--)
			{
				p = (IDataParameter)command.Parameters[i];
				if(p.Direction == ParameterDirection.Input &&
command.CommandText.IndexOf(p.ParameterName) > 0)
				{
					switch(p.DbType)
					{
						case DbType.String:
						case DbType.AnsiString:
						case DbType.AnsiStringFixedLength:
						case DbType.StringFixedLength:
							command.CommandText =
command.CommandText.Replace(p.ParameterName,
"\'"+p.Value.ToString().Replace("\'", "\'\'")+"\'");
							break;
						case DbType.Date:
						case DbType.DateTime:
							DateTime v = Convert.ToDateTime(p.Value);
							command.CommandText =
command.CommandText.Replace(p.ParameterName,
String.Format("\'{0}.{1}.{2} {3}:{4}:{5}.{6}\'", v.Year, v.Month,
v.Day, v.Hour, v.Minute, v.Second, v.Millisecond));
//							command.CommandText =
command.CommandText.Replace(p.ParameterName,
"\'"+p.Value.ToString()+"\'");
							break;
						case DbType.Double:
						case DbType.Decimal:
						case DbType.Currency:
						case DbType.Single:
							command.CommandText =
command.CommandText.Replace(p.ParameterName,
p.Value.ToString().Replace(',', '.'));
							break;
						default:
							command.CommandText =
command.CommandText.Replace(p.ParameterName, p.Value.ToString());
							break;
					}
					command.Parameters.RemoveAt(i);
				}
			}
		}
[/code]

Re: Integreate custom changes into trunk?

Posted by Gilles Bayon <ib...@gmail.com>.

We are thinking implemented this request as an optionnal setting (in
case of MSSQL use)

Re: Integreate custom changes into trunk?

Posted by oleksa borodie <ol...@gmail.com>.

On Tue, 22 Mar 2005 05:42:54 -0500, Ted Husted <te...@gmail.com> wrote:

> > > Doing so exposed to sql inject attack.
> >
> >  But I'm replacing all of single quotes with double quotes  as you can
> > see. I'm using iBATIS with application server and thought that it is
> > enough to replace one single quote with double single quote. Isn't it?
> ...
> Do we have any unit tests which show how iBATIS.NET reacts when SQL
> injection is attempted?

 What tests do you mean? Test that shows how performance increases in
case of replacing parameters with its values or test how sql injection
is avoided with Replace("\'", "\'\'") operator? I could try write some
for sql injection. Should I?

> If there is a debate over a feature, the best thing might be to focus
> on tests that demonstrate the feature.

 There is one more problem - performance problem with sp_executesql is
specific only for MS SQL server - so replacing parameters with values
is actual only for MS SQL connections. For all others it will be
unnecessary AFAIK.

Good luck.

Re: Integreate custom changes into trunk?

Posted by oleksa borodie <ol...@gmail.com>.

Hello

On Mon, 21 Mar 2005 18:54:39 +0100, Gilles Bayon <ib...@gmail.com> wrote:
> Doing so exposed to sql inject attack.

 But I'm replacing all of single quotes with double quotes  as you can
see. I'm using iBATIS with application server and thought that it is
enough to replace one single quote with double single quote. Isn't it?
 I need this functionality in any case - will it be implemented into
iBATIS trunk or not. Using sp_executesql with parameters causes about
700 times performance losses.
 Help me please - is there any pattern how I could maintain custom
build of the open source project merging my changes with new versions
of iBATIS? I could put iBATIS with my changes in local SVN repositiry
and merge it with snapshots from iBATIS repository. But how I should
deal with branches? E.g. 1.0.1.1 - version with my changes (local
repostory) and I've downloaded 1.1.0 from iBATIS repository. How could
I put 1.1.0 into local repostory - 'svn import' or 'svn commit'?
Should I create two projects (with custom changes and original) and
perform merge from original version of iBATIS project to the local
version? Is it possible in Subversion?

Thank you.

Re: Integreate custom changes into trunk?

Posted by Gilles Bayon <ib...@gmail.com>.

Doing so exposed to sql inject attack.