zhongjiajie commented on code in PR #15238: URL: https://github.com/apache/dolphinscheduler/pull/15238#discussion_r1449721024
##########
docs/docs/zh/guide/task/sql.md:
##########
@@ -28,6 +28,7 @@ SQL任务类型,用于连接数据库并执行相应SQL。
- sql语句:SQL语句
- UDF函数:对于HIVE类型的数据源,可以引用资源中心中创建的UDF函数,其他类型的数据源暂不支持UDF函数。
-
自定义参数:SQL任务类型,而存储过程是自定义参数顺序,给方法设置值自定义参数类型和数据类型,同存储过程任务类型一样。区别在于SQL任务类型自定义参数会替换sql语句中${变量}。
+- sql注入: 可以使用sql注入的方式更改sql,会替换sql语句中的```!{变量}``` 例如 ``` select * from A where
a = !{变量}```
Review Comment:
```suggestion
- sql注入: 可以使用sql注入的方式更改sql,会替换sql语句中的`!{变量}` 例如 `select * from A where a =
!{变量}`
```
##########
docs/docs/en/guide/task/sql.md:
##########
@@ -28,6 +28,7 @@ Refer to [datasource-setting](../howto/datasource-setting.md)
`DataSource Center
| SQL statement | SQL statement.
|
| UDF function | For Hive DataSources, you can refer to UDF functions
created in the resource center, but other DataSource do not support UDF
functions.
|
| Custom parameters | SQL task type, and stored procedure is a custom
parameter order, to set customized parameter type and data type for the method
is the same as the stored procedure task type. The difference is that the
custom parameter of the SQL task type replaces the `${variable}` in the SQL
statement.
|
+| SQL injection | You can use SQL injection to change SQL, which will
replace ```!{Variable}``` in the SQL statement. For example, ``` select * from
A where a = !{Variable}```
|
Review Comment:
```suggestion
| SQL injection | You can use SQL injection to change SQL, which will
replace `!{Variable}` in the SQL statement. For example, `select * from A where
a = !{Variable}`
|
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
