Hi, What is the best way to avoid sql errors and/or injection due to existing apostrophes in string subtitution (${})? I know the ideal is not to use string subtitution at all, but sometimes it is the only way to deal with engine limitations or complex situations. Typical usage case is in like predicates: select * from table where column like '%search_string_entered_by_user%' Regards, Pablo. You received this message because you are subscribed to the Google Groups "mybatis-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/f97fb4c0-c7e0-4d69-8951-6840587d3112%40googlegroups.com. |
Use function concat instead.
You received this message because you are subscribed to the Google Groups "mybatis-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/4fe09f28.1c1d.16abf3557cb.Coremail.iamlegend94%40163.com. |
Hi Pablo, You really should not use ${} when the value is provided by users. ☢️ There are several approaches and using 'concat' or '||' is one of them. Regards, Iwao On Thu, May 16, 2019 at 2:55 PM 肖凡 <[hidden email]> wrote:
You received this message because you are subscribed to the Google Groups "mybatis-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/CA%2Buep2Ty2G7gyGnzvqJgb-1QnkHdgz1zHMXZfDGusXfEGSFa%2Bw%40mail.gmail.com. |
Free forum by Nabble | Edit this page |