Now your clever user has managed to select all the records in the database that
end in burg , which is no big deal. But he also managed to drop a table from your
database (and only one, if you are lucky—if he is a real clever user, he will realize
that this is a one-chance deal and drop multiple tables). The -- at the end of the
string tells the database to ignore anything that comes after the drop table state-
ment, so no error is thrown.
If this happens in a real application in a production environment because of
your code, it is going to be a very bad day at the office. As we mentioned earlier,
use substitution syntax with caution.
Automatic result maps
You may have already noticed that in our examples we did not define any result
maps, but we did define result classes. This works through the automatic result
mapping done by i BATIS , which creates a result map on the fly and applies it to
the mapped statement the first time it is executed.
There are three ways to use this feature: single-column selection, fixed-column
list selection, and dynamic-column list selection.
If you do not provide either a result map or a result class, i BATIS will exe-
cute your statement and simply return nothing. This is a behavior that
has been in i BATIS since the earliest days, and has caused many cases of
heartburn. Unfortunately, some users use select statements to do inserts
and updates, and while this may seem like a bad idea, we have left this in
to avoid breaking working applications.
If you only want to get a single column out of a query, you can use the alias value
as a shortcut to accomplish that:
select accountId as value
List list = sqlMap.queryForList(
This returns all of the accountId values in the Account table as a List of simple
If you need multiple columns, you can tell i BATIS to use the column names as
bean property names, or as Map keys using automatic result mapping.