You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@phoenix.apache.org by "Istvan Toth (Jira)" <ji...@apache.org> on 2021/09/22 16:18:00 UTC

[jira] [Created] (PHOENIX-6560) Rewrite dynamic SQL queries to use Preparedstatement

Istvan Toth created PHOENIX-6560:
------------------------------------

             Summary: Rewrite dynamic SQL queries to use Preparedstatement
                 Key: PHOENIX-6560
                 URL: https://issues.apache.org/jira/browse/PHOENIX-6560
             Project: Phoenix
          Issue Type: Improvement
          Components: core
            Reporter: Istvan Toth


Most of the Phoenix code base already uses PreparedStatements, and adds all potentially vulnerable data as parameters.

However, there are some places where we concatenate potentially problematic strings into the query.

While most of those are constants and such, we should preferably pass all data as parameters to be on the safe side.

(We still have to use dynamic strings for the preparedstatement strings, for handling things as is null, empty in clauses and such)

Spotbugs marks these with SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE, so they're easy to find.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)