You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Serge Rielau (Jira)" <ji...@apache.org> on 2023/04/19 22:37:00 UTC

[jira] [Created] (SPARK-43205) Add an IDENTIFIER(stringLiteral) clause that maps a string to an identifier

Serge Rielau created SPARK-43205:
------------------------------------

             Summary: Add an IDENTIFIER(stringLiteral) clause that maps a string to an identifier
                 Key: SPARK-43205
                 URL: https://issues.apache.org/jira/browse/SPARK-43205
             Project: Spark
          Issue Type: New Feature
          Components: Spark Core
    Affects Versions: 3.5.0
            Reporter: Serge Rielau


There is a requirement for SQL templates, where the table and or column names are provided through substitution. This can be done today using variable substitution:
SET hivevar:tabname = mytab;
SELECT * FROM ${ hivevar:tabname };

A straight variable substitution is dangerous since it does allow for SQL injection:
SET hivevar:tabname = mytab, someothertab;
SELECT * FROM ${ hivevar:tabname };

A way to get around this problem is to wrap the variable substitution with a clause that limits the scope t produce an identifier.
This approach is taken by Snowflake:
 [https://docs.snowflake.com/en/sql-reference/session-variables#using-variables-in-sql]

SET hivevar:tabname = 'tabname';
SELECT * FROM IDENTIFIER(${ hivevar:tabname })



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org