ibatis-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrey (JIRA)" <ibatis-...@incubator.apache.org>
Subject [jira] Commented: (IBATIS-333) Patch which allow to subsititute property with column name from ResultMap in dynamic sql
Date Fri, 18 Aug 2006 20:51:14 GMT
    [ http://issues.apache.org/jira/browse/IBATIS-333?page=comments#action_12429121 ] 
Andrey commented on IBATIS-333:

Simple. Because when iBatis lives behind DAO only POJO properties seen. It is really bad idea
to use SQL fields in external world.

Let's imagine, we have jsp table. How many code You write to check, that substitution is correct?
That there is no sql injection?
If field name changed? 
With this feature your can write generic code, which will sort (not in all case, but in many)
by property name and nothing know about internal database fields.

I know, we can use $subsitution$ and all fields in SQL represent with "as alias". But this
is double work. I _already_ have described
fields <-> properties, why I can't use them? And in any case $substitution$ is _very_
insecure. I use it only in special cases and 
always this usage doesn't cross DAO boundaries... 

> Patch which allow to subsititute property with column name from ResultMap in dynamic
> ----------------------------------------------------------------------------------------
>                 Key: IBATIS-333
>                 URL: http://issues.apache.org/jira/browse/IBATIS-333
>             Project: iBatis for Java
>          Issue Type: New Feature
>          Components: SQL Maps
>    Affects Versions: 2.2.0
>            Reporter: Andrey
>         Attachments: insertColumnName.patch
> In situtation, when i need to implement sorting, I need to create such monster, like
abator creates for me. But
> if i only need sorting, here should be mapping beetween columns and properties (if they
specified explicitly
> in ResultMap). In this case, i can write 
>     <resultMap id="dynamicAccountResult" class="testdomain.Account">
>         <result column="ACC_ID" property="id"/>
>         <result column="ACC_FIRST_NAME" property="firstName"/>
>         <result column="ACC_LAST_NAME" property="lastName"/>
>         <result column="ACC_EMAIL" property="emailAddress"/>
>     </resultMap>
>   <select id="dynamicInsertColumnName"
>     parameterClass="string"
>     resultMap="dynamicAccountResult">
>     select
>       ACC_ID,
>       ACC_LAST_NAME,
>       ACC_EMAIL
>     from ACCOUNT
>     <dynamic>
>       <insertColumnName prepend="where"> = 1</insertColumnName>  <!--
ibatis replace this with column mapped for "id" passed as unnamed property -->
>       <insertColumnName prepend="order by"/> 
>     </dynamic>
>   </select>
>   public void testInsertColumnName() throws SQLException {
>     List list = sqlMap.queryForList("dynamicInsertColumnName", "id"); // Here we pass
our property name
>     assertEquals(1, list.size());
>   }
> SQL will be
>     select
>       ACC_ID,
>       ACC_LAST_NAME,
>       ACC_EMAIL
>     from ACCOUNT
>      where ACC_ID = 1
>      order by ACC_ID
> In any case, we can pass some AccountCriteria which will hold a list with soring properties
names and we can iterate in dynamic sql
> and get multiply field "order by" clause
> PS: Not all things tested yet. No errors thrown. This is alpha of this feature. This
is proof of conecpt (due of little amount of structural
> changes in other ibatis classes). If developers wan't this feature and agree with my
decisions, I'll implement all other bells and whishes
> like error checking, tests and may be other extensions for this tag.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message