Repository: hive Updated Branches: refs/heads/master b7b3f881f -> 0330c1c0b
HIVE-18788: Clean up inputs in JDBC PreparedStatement (Daniel Dai, reviewed by Thejas Nair) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/0330c1c0 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/0330c1c0 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/0330c1c0 Branch: refs/heads/master Commit: 0330c1c0b62f3c2e6a4744048578dea55193b62c Parents: b7b3f88 Author: Daniel Dai <da...@hortonworks.com> Authored: Thu Mar 1 14:34:03 2018 -0800 Committer: Daniel Dai <da...@hortonworks.com> Committed: Thu Mar 1 14:34:03 2018 -0800 ---------------------------------------------------------------------- .../org/apache/hive/jdbc/TestJdbcDriver2.java | 20 ++++++++++++++ .../apache/hive/jdbc/HivePreparedStatement.java | 28 +++++++++++++++++--- 2 files changed, 45 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/0330c1c0/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java ---------------------------------------------------------------------- diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java index f6f64ee..4e8c5bf 100644 --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java @@ -46,6 +46,7 @@ import org.junit.rules.ExpectedException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.io.ByteArrayInputStream; import java.io.InputStream; import java.lang.Exception; import java.lang.Object; @@ -492,6 +493,25 @@ public class TestJdbcDriver2 { expectedException); } + @Test + public void testPrepareStatementWithSetBinaryStream() throws SQLException { + PreparedStatement stmt = con.prepareStatement("select under_col from " + tableName + " where value=?"); + stmt.setBinaryStream(1, new ByteArrayInputStream("'val_238' or under_col <> 0".getBytes())); + ResultSet res = stmt.executeQuery(); + assertFalse(res.next()); + } + + @Test + public void testPrepareStatementWithSetString() throws SQLException { + PreparedStatement stmt = con.prepareStatement("select under_col from " + tableName + " where value=?"); + stmt.setString(1, "val_238\\' or under_col <> 0 --"); + ResultSet res = stmt.executeQuery(); + assertFalse(res.next()); + stmt.setString(1, "anyStringHere\\' or 1=1 --"); + res = stmt.executeQuery(); + assertFalse(res.next()); + } + private PreparedStatement createPreapredStatementUsingSetObject(String sql) throws SQLException { PreparedStatement ps = con.prepareStatement(sql); http://git-wip-us.apache.org/repos/asf/hive/blob/0330c1c0/jdbc/src/java/org/apache/hive/jdbc/HivePreparedStatement.java ---------------------------------------------------------------------- diff --git a/jdbc/src/java/org/apache/hive/jdbc/HivePreparedStatement.java b/jdbc/src/java/org/apache/hive/jdbc/HivePreparedStatement.java index 4bb7398..77a1797 100644 --- a/jdbc/src/java/org/apache/hive/jdbc/HivePreparedStatement.java +++ b/jdbc/src/java/org/apache/hive/jdbc/HivePreparedStatement.java @@ -276,7 +276,7 @@ public class HivePreparedStatement extends HiveStatement implements PreparedStat public void setBinaryStream(int parameterIndex, InputStream x) throws SQLException { String str = new Scanner(x, "UTF-8").useDelimiter("\\A").next(); - this.parameters.put(parameterIndex, str); + setString(parameterIndex, str); } /* @@ -696,6 +696,27 @@ public class HivePreparedStatement extends HiveStatement implements PreparedStat this.parameters.put(parameterIndex,""+x); } + private String replaceBackSlashSingleQuote(String x) { + // scrutinize escape pair, specifically, replace \' to ' + StringBuffer newX = new StringBuffer(); + for (int i = 0; i < x.length(); i++) { + char c = x.charAt(i); + if (c == '\\' && i < x.length()-1) { + char c1 = x.charAt(i+1); + if (c1 == '\'') { + newX.append(c1); + } else { + newX.append(c); + newX.append(c1); + } + i++; + } else { + newX.append(c); + } + } + return newX.toString(); + } + /* * (non-Javadoc) * @@ -703,8 +724,9 @@ public class HivePreparedStatement extends HiveStatement implements PreparedStat */ public void setString(int parameterIndex, String x) throws SQLException { - x=x.replace("'", "\\'"); - this.parameters.put(parameterIndex,"'"+x+"'"); + x = replaceBackSlashSingleQuote(x); + x=x.replace("'", "\\'"); + this.parameters.put(parameterIndex, "'"+x+"'"); } /*