avoid errors/injection in string substitution

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

avoid errors/injection in string substitution

Pablo León
Hi,

What is the best way to avoid sql errors and/or injection due to existing apostrophes in string subtitution (${})? I know the ideal is not to use string subtitution at all, but sometimes it is the only way to deal with engine limitations or complex situations. Typical usage case is in like predicates:

     select * from table where column like '%search_string_entered_by_user%'

Regards,

      Pablo.


--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/f97fb4c0-c7e0-4d69-8951-6840587d3112%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: avoid errors/injection in string substitution

肖凡
Use function concat instead.

On 05/16/2019 00:59, [hidden email] wrote:
Hi,

What is the best way to avoid sql errors and/or injection due to existing apostrophes in string subtitution (${})? I know the ideal is not to use string subtitution at all, but sometimes it is the only way to deal with engine limitations or complex situations. Typical usage case is in like predicates:

     select * from table where column like '%search_string_entered_by_user%'

Regards,

      Pablo.


--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/f97fb4c0-c7e0-4d69-8951-6840587d3112%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/4fe09f28.1c1d.16abf3557cb.Coremail.iamlegend94%40163.com.
Reply | Threaded
Open this post in threaded view
|

Re: avoid errors/injection in string substitution

Iwao AVE!
Hi Pablo,

You really should not use ${} when the value is provided by users. ☢️
There are several approaches and using 'concat' or '||' is one of them.
Regards,
Iwao

On Thu, May 16, 2019 at 2:55 PM 肖凡 <[hidden email]> wrote:
Use function concat instead.

On 05/16/2019 00:59, [hidden email] wrote:
Hi,

What is the best way to avoid sql errors and/or injection due to existing apostrophes in string subtitution (${})? I know the ideal is not to use string subtitution at all, but sometimes it is the only way to deal with engine limitations or complex situations. Typical usage case is in like predicates:

     select * from table where column like '%search_string_entered_by_user%'

Regards,

      Pablo.


--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/f97fb4c0-c7e0-4d69-8951-6840587d3112%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/4fe09f28.1c1d.16abf3557cb.Coremail.iamlegend94%40163.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/CA%2Buep2Ty2G7gyGnzvqJgb-1QnkHdgz1zHMXZfDGusXfEGSFa%2Bw%40mail.gmail.com.