You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/01/12 11:19:00 UTC

[jira] [Commented] (DRILL-6215) Use prepared statement instead of Statement in JdbcRecordReader class

    [ https://issues.apache.org/jira/browse/DRILL-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17013705#comment-17013705 ] 

ASF GitHub Bot commented on DRILL-6215:
---------------------------------------

vvysotskyi commented on issue #1159: DRILL-6215: Changed Statement to PreparedStatement in JdbcRecordReader
URL: https://github.com/apache/drill/pull/1159#issuecomment-573404984
 
 
   Fixed in https://github.com/apache/drill/commit/4f55e71dc971d42054a031acd000ddf8337e90d9
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Use prepared statement instead of Statement in JdbcRecordReader class
> ---------------------------------------------------------------------
>
>                 Key: DRILL-6215
>                 URL: https://issues.apache.org/jira/browse/DRILL-6215
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Storage - JDBC
>    Affects Versions: 1.12.0
>            Reporter: Khurram Faraaz
>            Assignee: Igor Guzenko
>            Priority: Major
>             Fix For: 1.18.0
>
>
> Use prepared statement instead of Statement in JdbcRecordReader class, which is more efficient and less vulnerable to SQL injection attacks.
> Apache Drill 1.13.0-SNAPSHOT, commit : 9073aed67d89e8b2188870d6c812706085c9c41b
> Findbugs reports the below bug and suggests that we use prepared statement instead of Statement.
> {noformat}
> In class org.apache.drill.exec.store.jdbc.JdbcRecordReader
> In method org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, OutputMutator)
> At JdbcRecordReader.java:[line 170]
> org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, OutputMutator) passes a nonconstant String to an execute method on an SQL statement
> The method invokes the execute method on an SQL statement with a String that seems to be dynamically generated. 
> Consider using a prepared statement instead. 
> It is more efficient and less vulnerable to SQL injection attacks.
> {noformat}
> LOC - https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170
> {noformat}
> To run with findbugs:
> mvn clean install -Pfindbugs -DskipTests
> Findbugs will wirite the output to finbugsXml.html in the target directory of each module. 
> For example the java-exec module report is located at: ./exec/java-exec/target/findbugs/findbugsXml.html
> Use 
> find . -name "findbugsXml.html"
> to locate the files.
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)