Mybatis bind element Oracle bin variable?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Mybatis bind element Oracle bin variable?

rashed
Hi All

I need to know if I use Mybatis bind element like the following:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

Will this bind element be treated as bind variable in Oracle?

Thanks

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Mybatis bind element Oracle bin variable?

rashed
I actually mean Oracle Bind Variable not Bin Variable...sorry.

On Friday, February 6, 2015 at 3:32:21 PM UTC+8, Rashedul Hasan wrote:
Hi All

I need to know if I use Mybatis bind element like the following:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

Will this bind element be treated as bind variable in Oracle?

Thanks

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Mybatis bind element Oracle bin variable?

Frank Martínez
Hi Rashedul,

No, it will only create a jdbc parameter binding.

  SELECT * FROM BLOG
  WHERE title LIKE ?




On Fri, Feb 6, 2015 at 3:41 AM, Rashedul Hasan <[hidden email]> wrote:
I actually mean Oracle Bind Variable not Bin Variable...sorry.


On Friday, February 6, 2015 at 3:32:21 PM UTC+8, Rashedul Hasan wrote:
Hi All

I need to know if I use Mybatis bind element like the following:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

Will this bind element be treated as bind variable in Oracle?

Thanks

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Mybatis bind element Oracle bin variable?

rashed
Hi Frank

Thanks...could you please tell me how to do this from Mybatis? I need to pass a parameter which will be Oracle bind variable like below:

SELECT * FROM BLOG
WHERE title LIKE :bindVar

to avoid hard parse. 

Thanks

On Friday, February 6, 2015 at 6:33:06 PM UTC+6, Frank Martinez wrote:
Hi Rashedul,

No, it will only create a jdbc parameter binding.

  SELECT * FROM BLOG
  WHERE title LIKE ?




On Fri, Feb 6, 2015 at 3:41 AM, Rashedul Hasan <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="MnOEIIF6JmsJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">hasan...@...> wrote:
I actually mean Oracle Bind Variable not Bin Variable...sorry.


On Friday, February 6, 2015 at 3:32:21 PM UTC+8, Rashedul Hasan wrote:
Hi All

I need to know if I use Mybatis bind element like the following:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

Will this bind element be treated as bind variable in Oracle?

Thanks

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="MnOEIIF6JmsJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">mybatis-user...@googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href='https://groups.google.com/d/optout';return true;" onclick="this.href='https://groups.google.com/d/optout';return true;">https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Mybatis bind element Oracle bin variable?

Frank Martínez
According to this: http://www.akadia.com/services/ora_bind_variables.html
JDBC Prepared statement parameters are equivalent to Bind variables in Oracle.

The next question is though, what about VB, Java and other applications that fire SQL queries against an Oracle database. How do these use bind variables? Do you have to in fact split your SQL into two statements, one to set the bind variable, and one for the statement itself?

In fact, the answer to this is actually quite simple. When you put together an SQL statement using Java, or VB, or whatever, you usually use an API for accessing the database; ADO in the case of VB, JDBC in the case of Java. All of these APIs have built-in support for bind variablesand it's just a case of using this support rather than just concatenating a string yourself and submitting it to the database.

For example, Java has PreparedStatement, which allows the use of bind variables, and Statement, which uses the string concatenation approach. If you use the method that supports bind variables, the API itself passes the bind variable value to Oracle at runtime, and you just submit your SQL statement as normal. There's no need to separately pass the bind variable value to Oracle, and actually no additional work on your part. Support for bind variables isn't just limited to Oracle - it's common to other RDBMS platforms such as Microsoft SQL Server, so there's no excuse for not using them just because they might be an Oracle-only feature.




On Fri, Feb 6, 2015 at 9:01 AM, Rashedul Hasan <[hidden email]> wrote:
Hi Frank

Thanks...could you please tell me how to do this from Mybatis? I need to pass a parameter which will be Oracle bind variable like below:

SELECT * FROM BLOG
WHERE title LIKE :bindVar

to avoid hard parse. 

Thanks

On Friday, February 6, 2015 at 6:33:06 PM UTC+6, Frank Martinez wrote:
Hi Rashedul,

No, it will only create a jdbc parameter binding.

  SELECT * FROM BLOG
  WHERE title LIKE ?




On Fri, Feb 6, 2015 at 3:41 AM, Rashedul Hasan <[hidden email]> wrote:
I actually mean Oracle Bind Variable not Bin Variable...sorry.


On Friday, February 6, 2015 at 3:32:21 PM UTC+8, Rashedul Hasan wrote:
Hi All

I need to know if I use Mybatis bind element like the following:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

Will this bind element be treated as bind variable in Oracle?

Thanks

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Mybatis bind element Oracle bin variable?

rashed

Got it..thanks....then what is the difference between these two formats in Mybatis:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

AND

<select id="selectBlogsLike" resultType="Blog">  
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

It seems like both will be same. If so, what is the purpose of this BIND element? Thanks
On Friday, February 6, 2015 at 8:07:47 PM UTC+6, Frank Martinez wrote:
According to this: <a href="http://www.google.com/url?q=http%3A%2F%2Fwww.akadia.com%2Fservices%2Fora_bind_variables.html&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNF4yVdHJ535PIS9dxFpuJ1SlQkiLw" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.akadia.com%2Fservices%2Fora_bind_variables.html\46sa\75D\46sntz\0751\46usg\75AFQjCNF4yVdHJ535PIS9dxFpuJ1SlQkiLw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.akadia.com%2Fservices%2Fora_bind_variables.html\46sa\75D\46sntz\0751\46usg\75AFQjCNF4yVdHJ535PIS9dxFpuJ1SlQkiLw';return true;">http://www.akadia.com/services/ora_bind_variables.html
JDBC Prepared statement parameters are equivalent to Bind variables in Oracle.

The next question is though, what about VB, Java and other applications that fire SQL queries against an Oracle database. How do these use bind variables? Do you have to in fact split your SQL into two statements, one to set the bind variable, and one for the statement itself?

In fact, the answer to this is actually quite simple. When you put together an SQL statement using Java, or VB, or whatever, you usually use an API for accessing the database; ADO in the case of VB, JDBC in the case of Java. All of these APIs have built-in support for bind variablesand it's just a case of using this support rather than just concatenating a string yourself and submitting it to the database.

For example, Java has PreparedStatement, which allows the use of bind variables, and Statement, which uses the string concatenation approach. If you use the method that supports bind variables, the API itself passes the bind variable value to Oracle at runtime, and you just submit your SQL statement as normal. There's no need to separately pass the bind variable value to Oracle, and actually no additional work on your part. Support for bind variables isn't just limited to Oracle - it's common to other RDBMS platforms such as Microsoft SQL Server, so there's no excuse for not using them just because they might be an Oracle-only feature.




On Fri, Feb 6, 2015 at 9:01 AM, Rashedul Hasan <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="im1BDbe1_QsJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">hasan...@...> wrote:
Hi Frank

Thanks...could you please tell me how to do this from Mybatis? I need to pass a parameter which will be Oracle bind variable like below:

SELECT * FROM BLOG
WHERE title LIKE :bindVar

to avoid hard parse. 

Thanks

On Friday, February 6, 2015 at 6:33:06 PM UTC+6, Frank Martinez wrote:
Hi Rashedul,

No, it will only create a jdbc parameter binding.

  SELECT * FROM BLOG
  WHERE title LIKE ?




On Fri, Feb 6, 2015 at 3:41 AM, Rashedul Hasan <[hidden email]> wrote:
I actually mean Oracle Bind Variable not Bin Variable...sorry.


On Friday, February 6, 2015 at 3:32:21 PM UTC+8, Rashedul Hasan wrote:
Hi All

I need to know if I use Mybatis bind element like the following:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

Will this bind element be treated as bind variable in Oracle?

Thanks

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href='https://groups.google.com/d/optout';return true;" onclick="this.href='https://groups.google.com/d/optout';return true;">https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="im1BDbe1_QsJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">mybatis-user...@googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href='https://groups.google.com/d/optout';return true;" onclick="this.href='https://groups.google.com/d/optout';return true;">https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Mybatis bind element Oracle bin variable?

Frank Martínez
In the first case, you can bind any expression inside the mapper. In the second case you have to calculate the expression in java and pass its result to the mapper. 

On Fri, Feb 6, 2015 at 9:25 AM, Rashedul Hasan <[hidden email]> wrote:

Got it..thanks....then what is the difference between these two formats in Mybatis:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

AND

<select id="selectBlogsLike" resultType="Blog">  
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

It seems like both will be same. If so, what is the purpose of this BIND element? Thanks
On Friday, February 6, 2015 at 8:07:47 PM UTC+6, Frank Martinez wrote:
According to this: http://www.akadia.com/services/ora_bind_variables.html
JDBC Prepared statement parameters are equivalent to Bind variables in Oracle.

The next question is though, what about VB, Java and other applications that fire SQL queries against an Oracle database. How do these use bind variables? Do you have to in fact split your SQL into two statements, one to set the bind variable, and one for the statement itself?

In fact, the answer to this is actually quite simple. When you put together an SQL statement using Java, or VB, or whatever, you usually use an API for accessing the database; ADO in the case of VB, JDBC in the case of Java. All of these APIs have built-in support for bind variablesand it's just a case of using this support rather than just concatenating a string yourself and submitting it to the database.

For example, Java has PreparedStatement, which allows the use of bind variables, and Statement, which uses the string concatenation approach. If you use the method that supports bind variables, the API itself passes the bind variable value to Oracle at runtime, and you just submit your SQL statement as normal. There's no need to separately pass the bind variable value to Oracle, and actually no additional work on your part. Support for bind variables isn't just limited to Oracle - it's common to other RDBMS platforms such as Microsoft SQL Server, so there's no excuse for not using them just because they might be an Oracle-only feature.




On Fri, Feb 6, 2015 at 9:01 AM, Rashedul Hasan <[hidden email]> wrote:
Hi Frank

Thanks...could you please tell me how to do this from Mybatis? I need to pass a parameter which will be Oracle bind variable like below:

SELECT * FROM BLOG
WHERE title LIKE :bindVar

to avoid hard parse. 

Thanks

On Friday, February 6, 2015 at 6:33:06 PM UTC+6, Frank Martinez wrote:
Hi Rashedul,

No, it will only create a jdbc parameter binding.

  SELECT * FROM BLOG
  WHERE title LIKE ?




On Fri, Feb 6, 2015 at 3:41 AM, Rashedul Hasan <[hidden email]> wrote:
I actually mean Oracle Bind Variable not Bin Variable...sorry.


On Friday, February 6, 2015 at 3:32:21 PM UTC+8, Rashedul Hasan wrote:
Hi All

I need to know if I use Mybatis bind element like the following:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

Will this bind element be treated as bind variable in Oracle?

Thanks

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Mybatis bind element Oracle bin variable?

rashed
Thanks a lot.

On Friday, February 6, 2015 at 10:37:56 PM UTC+8, Frank Martinez wrote:
In the first case, you can bind any expression inside the mapper. In the second case you have to calculate the expression in java and pass its result to the mapper. 

On Fri, Feb 6, 2015 at 9:25 AM, Rashedul Hasan <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="SQUEkk4VtHEJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">hasan...@...> wrote:

Got it..thanks....then what is the difference between these two formats in Mybatis:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

AND

<select id="selectBlogsLike" resultType="Blog">  
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

It seems like both will be same. If so, what is the purpose of this BIND element? Thanks
On Friday, February 6, 2015 at 8:07:47 PM UTC+6, Frank Martinez wrote:
According to this: <a href="http://www.google.com/url?q=http%3A%2F%2Fwww.akadia.com%2Fservices%2Fora_bind_variables.html&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNF4yVdHJ535PIS9dxFpuJ1SlQkiLw" rel="nofollow" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.akadia.com%2Fservices%2Fora_bind_variables.html\46sa\75D\46sntz\0751\46usg\75AFQjCNF4yVdHJ535PIS9dxFpuJ1SlQkiLw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.akadia.com%2Fservices%2Fora_bind_variables.html\46sa\75D\46sntz\0751\46usg\75AFQjCNF4yVdHJ535PIS9dxFpuJ1SlQkiLw';return true;">http://www.akadia.com/services/ora_bind_variables.html
JDBC Prepared statement parameters are equivalent to Bind variables in Oracle.

The next question is though, what about VB, Java and other applications that fire SQL queries against an Oracle database. How do these use bind variables? Do you have to in fact split your SQL into two statements, one to set the bind variable, and one for the statement itself?

In fact, the answer to this is actually quite simple. When you put together an SQL statement using Java, or VB, or whatever, you usually use an API for accessing the database; ADO in the case of VB, JDBC in the case of Java. All of these APIs have built-in support for bind variablesand it's just a case of using this support rather than just concatenating a string yourself and submitting it to the database.

For example, Java has PreparedStatement, which allows the use of bind variables, and Statement, which uses the string concatenation approach. If you use the method that supports bind variables, the API itself passes the bind variable value to Oracle at runtime, and you just submit your SQL statement as normal. There's no need to separately pass the bind variable value to Oracle, and actually no additional work on your part. Support for bind variables isn't just limited to Oracle - it's common to other RDBMS platforms such as Microsoft SQL Server, so there's no excuse for not using them just because they might be an Oracle-only feature.




On Fri, Feb 6, 2015 at 9:01 AM, Rashedul Hasan <[hidden email]> wrote:
Hi Frank

Thanks...could you please tell me how to do this from Mybatis? I need to pass a parameter which will be Oracle bind variable like below:

SELECT * FROM BLOG
WHERE title LIKE :bindVar

to avoid hard parse. 

Thanks

On Friday, February 6, 2015 at 6:33:06 PM UTC+6, Frank Martinez wrote:
Hi Rashedul,

No, it will only create a jdbc parameter binding.

  SELECT * FROM BLOG
  WHERE title LIKE ?




On Fri, Feb 6, 2015 at 3:41 AM, Rashedul Hasan <[hidden email]> wrote:
I actually mean Oracle Bind Variable not Bin Variable...sorry.


On Friday, February 6, 2015 at 3:32:21 PM UTC+8, Rashedul Hasan wrote:
Hi All

I need to know if I use Mybatis bind element like the following:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

Will this bind element be treated as bind variable in Oracle?

Thanks

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href='https://groups.google.com/d/optout';return true;" onclick="this.href='https://groups.google.com/d/optout';return true;">https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href='https://groups.google.com/d/optout';return true;" onclick="this.href='https://groups.google.com/d/optout';return true;">https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="SQUEkk4VtHEJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">mybatis-user...@googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href='https://groups.google.com/d/optout';return true;" onclick="this.href='https://groups.google.com/d/optout';return true;">https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Mybatis bind element Oracle bin variable?

Manohar Parelly
In reply to this post by Frank Martínez
Hi, 
How safe it is to use <bind> variable to set parameter values with respect to SQL Injection attacks? I see <bind> variables allow us to set parameters during query preparation, same as preparing query manually with string concatenation.in Java.

Regards,
Manohar Parelly

On Friday, February 6, 2015 at 8:37:56 AM UTC-6, Frank Martínez wrote:
In the first case, you can bind any expression inside the mapper. In the second case you have to calculate the expression in java and pass its result to the mapper. 

On Fri, Feb 6, 2015 at 9:25 AM, Rashedul Hasan <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="SQUEkk4VtHEJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">hasan...@...> wrote:

Got it..thanks....then what is the difference between these two formats in Mybatis:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

AND

<select id="selectBlogsLike" resultType="Blog">  
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

It seems like both will be same. If so, what is the purpose of this BIND element? Thanks
On Friday, February 6, 2015 at 8:07:47 PM UTC+6, Frank Martinez wrote:
According to this: <a href="http://www.google.com/url?q=http%3A%2F%2Fwww.akadia.com%2Fservices%2Fora_bind_variables.html&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNF4yVdHJ535PIS9dxFpuJ1SlQkiLw" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.akadia.com%2Fservices%2Fora_bind_variables.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF4yVdHJ535PIS9dxFpuJ1SlQkiLw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.akadia.com%2Fservices%2Fora_bind_variables.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF4yVdHJ535PIS9dxFpuJ1SlQkiLw&#39;;return true;">http://www.akadia.com/services/ora_bind_variables.html
JDBC Prepared statement parameters are equivalent to Bind variables in Oracle.

The next question is though, what about VB, Java and other applications that fire SQL queries against an Oracle database. How do these use bind variables? Do you have to in fact split your SQL into two statements, one to set the bind variable, and one for the statement itself?

In fact, the answer to this is actually quite simple. When you put together an SQL statement using Java, or VB, or whatever, you usually use an API for accessing the database; ADO in the case of VB, JDBC in the case of Java. All of these APIs have built-in support for bind variablesand it's just a case of using this support rather than just concatenating a string yourself and submitting it to the database.

For example, Java has PreparedStatement, which allows the use of bind variables, and Statement, which uses the string concatenation approach. If you use the method that supports bind variables, the API itself passes the bind variable value to Oracle at runtime, and you just submit your SQL statement as normal. There's no need to separately pass the bind variable value to Oracle, and actually no additional work on your part. Support for bind variables isn't just limited to Oracle - it's common to other RDBMS platforms such as Microsoft SQL Server, so there's no excuse for not using them just because they might be an Oracle-only feature.




On Fri, Feb 6, 2015 at 9:01 AM, Rashedul Hasan <[hidden email]> wrote:
Hi Frank

Thanks...could you please tell me how to do this from Mybatis? I need to pass a parameter which will be Oracle bind variable like below:

SELECT * FROM BLOG
WHERE title LIKE :bindVar

to avoid hard parse. 

Thanks

On Friday, February 6, 2015 at 6:33:06 PM UTC+6, Frank Martinez wrote:
Hi Rashedul,

No, it will only create a jdbc parameter binding.

  SELECT * FROM BLOG
  WHERE title LIKE ?




On Fri, Feb 6, 2015 at 3:41 AM, Rashedul Hasan <[hidden email]> wrote:
I actually mean Oracle Bind Variable not Bin Variable...sorry.


On Friday, February 6, 2015 at 3:32:21 PM UTC+8, Rashedul Hasan wrote:
Hi All

I need to know if I use Mybatis bind element like the following:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

Will this bind element be treated as bind variable in Oracle?

Thanks

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="SQUEkk4VtHEJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">mybatis-user...@googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Mybatis bind element Oracle bin variable?

Vladimir Alarcon
As a MyBatis user (not a developer) I would say that using <bind> is safe in respect to SQL injection.

The only potentially unsafe usage is when you type ${parameter}. Note the dollar sign ($) instead of the pound sign (#). Even with the dollar sign ($) you can still make it SQL-Injection-safe by satinizing the "parameter" value. That is, escaping orremoving special characters.

On Tuesday, February 13, 2018 at 2:17:34 PM UTC-5, Manohar Parelly wrote:
Hi, 
How safe it is to use <bind> variable to set parameter values with respect to SQL Injection attacks? I see <bind> variables allow us to set parameters during query preparation, same as preparing query manually with string <a href="http://concatenation.in" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fconcatenation.in\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGsEbwMdjGartMa0E2BwxYgg428ug&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fconcatenation.in\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGsEbwMdjGartMa0E2BwxYgg428ug&#39;;return true;">concatenation.in Java.

Regards,
Manohar Parelly

On Friday, February 6, 2015 at 8:37:56 AM UTC-6, Frank Martínez wrote:
In the first case, you can bind any expression inside the mapper. In the second case you have to calculate the expression in java and pass its result to the mapper. 

On Fri, Feb 6, 2015 at 9:25 AM, Rashedul Hasan <[hidden email]> wrote:

Got it..thanks....then what is the difference between these two formats in Mybatis:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

AND

<select id="selectBlogsLike" resultType="Blog">  
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

It seems like both will be same. If so, what is the purpose of this BIND element? Thanks
On Friday, February 6, 2015 at 8:07:47 PM UTC+6, Frank Martinez wrote:
According to this: <a href="http://www.google.com/url?q=http%3A%2F%2Fwww.akadia.com%2Fservices%2Fora_bind_variables.html&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNF4yVdHJ535PIS9dxFpuJ1SlQkiLw" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.akadia.com%2Fservices%2Fora_bind_variables.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF4yVdHJ535PIS9dxFpuJ1SlQkiLw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.akadia.com%2Fservices%2Fora_bind_variables.html\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF4yVdHJ535PIS9dxFpuJ1SlQkiLw&#39;;return true;">http://www.akadia.com/services/ora_bind_variables.html
JDBC Prepared statement parameters are equivalent to Bind variables in Oracle.

The next question is though, what about VB, Java and other applications that fire SQL queries against an Oracle database. How do these use bind variables? Do you have to in fact split your SQL into two statements, one to set the bind variable, and one for the statement itself?

In fact, the answer to this is actually quite simple. When you put together an SQL statement using Java, or VB, or whatever, you usually use an API for accessing the database; ADO in the case of VB, JDBC in the case of Java. All of these APIs have built-in support for bind variablesand it's just a case of using this support rather than just concatenating a string yourself and submitting it to the database.

For example, Java has PreparedStatement, which allows the use of bind variables, and Statement, which uses the string concatenation approach. If you use the method that supports bind variables, the API itself passes the bind variable value to Oracle at runtime, and you just submit your SQL statement as normal. There's no need to separately pass the bind variable value to Oracle, and actually no additional work on your part. Support for bind variables isn't just limited to Oracle - it's common to other RDBMS platforms such as Microsoft SQL Server, so there's no excuse for not using them just because they might be an Oracle-only feature.




On Fri, Feb 6, 2015 at 9:01 AM, Rashedul Hasan <[hidden email]> wrote:
Hi Frank

Thanks...could you please tell me how to do this from Mybatis? I need to pass a parameter which will be Oracle bind variable like below:

SELECT * FROM BLOG
WHERE title LIKE :bindVar

to avoid hard parse. 

Thanks

On Friday, February 6, 2015 at 6:33:06 PM UTC+6, Frank Martinez wrote:
Hi Rashedul,

No, it will only create a jdbc parameter binding.

  SELECT * FROM BLOG
  WHERE title LIKE ?




On Fri, Feb 6, 2015 at 3:41 AM, Rashedul Hasan <[hidden email]> wrote:
I actually mean Oracle Bind Variable not Bin Variable...sorry.


On Friday, February 6, 2015 at 3:32:21 PM UTC+8, Rashedul Hasan wrote:
Hi All

I need to know if I use Mybatis bind element like the following:

<select id="selectBlogsLike" resultType="Blog">
  <bind name="pattern" value="'%' + _parameter.getTitle() + '%'" />
  SELECT * FROM BLOG
  WHERE title LIKE #{pattern}
</select>

Will this bind element be treated as bind variable in Oracle?

Thanks

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.



--
Frank D. Martínez M.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.