You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@phoenix.apache.org by "Rajeshbabu Chintaguntla (JIRA)" <ji...@apache.org> on 2017/01/20 06:14:26 UTC

[jira] [Created] (PHOENIX-3613) Avoid possible SQL Injection with proper input validations

Rajeshbabu Chintaguntla created PHOENIX-3613:
------------------------------------------------

             Summary: Avoid possible SQL Injection with proper input validations
                 Key: PHOENIX-3613
                 URL: https://issues.apache.org/jira/browse/PHOENIX-3613
             Project: Phoenix
          Issue Type: Bug
            Reporter: Rajeshbabu Chintaguntla
            Assignee: Rajeshbabu Chintaguntla


There are possible SQL injections :

Issue 1 :
*Overview* : On line 139 of PhoenixUtil.java, the method executeStatementThrowException() invokes a SQL query built using input coming from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

*Comment* : As the source SQL query can have IN clause in SQL statement, please use this link to fix http://stackoverflow.com/questions/3107044/preparedstatement-with-list-of-parameters-in-a-in-clause

Issue 2 : 
*Overview* : On line 60 of EntityFactory.java, the method findMultiple() invokes a SQL query built using input coming from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

*Comment* : Limit value can be misused as well.

*Tagged* : Suspicious

*Overview* : On line 154 of PhoenixUtil.java, the method executeStatement() invokes a SQL query built using input coming from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

*Comment* : Applying schema to file?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)