You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@drill.apache.org by "Tobias (JIRA)" <ji...@apache.org> on 2017/03/16 08:40:41 UTC

[jira] [Commented] (DRILL-5079) PreparedStatement dynamic parameters to avoid SQL Injection test

    [ https://issues.apache.org/jira/browse/DRILL-5079?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15927668#comment-15927668 ] 

Tobias commented on DRILL-5079:
-------------------------------

We would also like this for the above reason and additionally we would like that the plan for the statement or at least parts of the physical plan could be cached
as it is a significant part of the query plan for short running queries.



> PreparedStatement dynamic parameters to avoid SQL Injection test
> ----------------------------------------------------------------
>
>                 Key: DRILL-5079
>                 URL: https://issues.apache.org/jira/browse/DRILL-5079
>             Project: Apache Drill
>          Issue Type: Improvement
>          Components: Client - JDBC
>    Affects Versions: 1.8.0
>            Reporter: Wahyu Sudrajat
>            Priority: Critical
>              Labels: security
>
> Capability to use PreparedStatement with dynamic parameters to prevent SQL Injection.
> For example:
> select  * from PEOPLE where FIRST_NAME = ? and LAST_NAME = ? limit 100
> As for now, Drill will return:
> Error Message:PreparedStatementCallback; uncategorized SQLException for SQL []; SQL state [null]; error code [0]; Failed to create prepared statement: PLAN ERROR: Cannot convert RexNode to equivalent Drill expression. RexNode Class: org.apache.calcite.rex.RexDynamicParam, RexNode Digest: ?0



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)