Mybatis mix prepared statement with sql injection

Question

I have a query that I'd like Mybatis to treat as a sql injection for part of it an also as a prepared statement. I am using Mybatis xml files rather than annotations. Here is what I'm trying to do...

My java object is passing a parameter map containing a processId and a start and end date. The processId is part of the "top" of the query before the WHERE clause. The start and end date are in the WHERE clause. So I'm trying to get the benefit of running as a prepared statement but I don't know the processId until runtime. My sql would look something like the following but not sure how to mix these two modes of building the sql together. Is there a way I can do this?

   SELECT ${processId}, x, y, z FROM AnotherTable t
     WHERE t.startDate >= ? AND t.endDate <= ?```

Answer 1

I found the answer. I just had to specify BOTH parameterType AND parameterMap attributes in my Insert tag...

<parameterMap type="java.util.Map" id="myParameterMap">
    <parameter property="startDate"/>
    <parameter property="endDate"/>
  </parameterMap>

  <insert  id="theSqlToRun" parameterType="java.util.Map" parameterMap="myParameterMap">
SELECT ${processId}, x, y, z FROM AnotherTable t
     WHERE t.startDate >= ? AND t.endDate <= ?
</insert>

Answer 2

You don't need SQL Injection (as in ${a}). Normal parameters (as in #{a}) will work. You don't mention the specific database but as far as I remember all JDBC drivers I've tried support parameters in the "select list".

You can do:

<select id="mySelect">
  select #{processId}, x, y, z 
  from AnotherTable t
  where t.startDate >= #{startDate} AND t.endDate &lt;= #{endDate}
</select>

And remember to escape your < as shown above.