You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Matt Burgess (JIRA)" <ji...@apache.org> on 2018/01/25 15:15:00 UTC
[jira] [Assigned] (NIFI-978) Support parameterized prepared
statements in ExecuteSQL
[ https://issues.apache.org/jira/browse/NIFI-978?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Burgess reassigned NIFI-978:
---------------------------------
Assignee: Matt Burgess
> Support parameterized prepared statements in ExecuteSQL
> -------------------------------------------------------
>
> Key: NIFI-978
> URL: https://issues.apache.org/jira/browse/NIFI-978
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: Daryl Teo
> Assignee: Matt Burgess
> Priority: Minor
>
> PutSQL and ExecuteSQL are highly inconsistent and leads to confusion.
> - PutSQL relies on FlowFile content to execute it's statement.
> - ExecuteSQL relies on SQL Select Command attribute
> - PutSQL supports parameterized statements through sql.args attributes
> - ExecuteSQL relies on Expression Language to insert dynamic properties
> The reliance on expression language for ExecuteSQL may also lead to potential SQL injection if one is not careful as it is a string replacement.
> Therefore in the interest of reliability and consistency I highly recommend that the SQL processors be standardised.
> Note: I prefer the sql command attribute for running SQL as opposed to the (lower visibility) content based command specification. Having the query attribute of ExecuteSQL, with the sql.args attributes of PutSQL would be a great improvement. If you support this, I will create a new issue in Jira.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)