Is there anything built into Ibatis that helps prevent SQL Injection attacks? I'm not looking for a list of ways outside of Ibatis to do this, and am just wondering if Ibatis has anything to prevent SQL Injection.
Asked
Active
Viewed 9,717 times
2 Answers
22
IBatis uses JDBC prepared statements under the hood and is therefore safe. However this only applies if your use the # notation. It's also possible to concat variables directly into your query using the $ notation which is not safe (unless you escape them). See this article for background info.
Richard Kettelerij
- 2,049
- 14
- 17
-3
I'd guess iBatis is using prepared statements, and parameter binding, so it's safe.
Bozho
- 588,226
- 146
- 1,060
- 1,140
-
7-1 - guessing for something as sensitive as a SQL Injection entry point – Diarmaid Dec 04 '12 at 11:58
-
3It's not safe when using $ notation – didxga May 24 '13 at 09:20