Java Reference
In-Depth Information
accountList = sqlMap.queryForList(
"Account.getByLikeCity",
"burg");
This time, i BATIS turns the statement into this:
select
accountId,
username,
password,
firstName,
lastName,
address1,
address2,
city,
state,
postalCode,
country
from Account
where city like '%burg%'
No parameters are set, because the statement is already complete, but one impor-
tant thing to remember when using this technique is that it makes your applica-
tion more susceptible to SQL injection attacks.
4.2.3
A quick look at SQL injection
A SQL injection attack is one where a malicious user passes specially formed data
to an application to make it do something it is not supposed to do. For example,
in the latter case, if a user provided this text:
burg'; drop table Account;--
it would turn our simple little select statement into this more nefarious set of
statements:
select
accountId,
username,
password,
firstName,
lastName,
address1,
address2,
city,
state,
postalCode,
country
from Account
where city like '%burg';drop table Account;--%'
Search WWH ::




Custom Search