Repository: hive
Updated Branches:
  refs/heads/branch-2.3 de82776f7 -> 63df42966


HIVE-18788: Clean up inputs in JDBC PreparedStatement (Daniel Dai, reviewed by 
Thejas Nair)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/63df4296
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/63df4296
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/63df4296

Branch: refs/heads/branch-2.3
Commit: 63df42966cf44ffdd20d3fcdcfb70738c0432aba
Parents: de82776
Author: Daniel Dai <da...@hortonworks.com>
Authored: Fri Mar 2 15:36:36 2018 -0800
Committer: Daniel Dai <da...@hortonworks.com>
Committed: Fri Mar 2 15:36:36 2018 -0800

----------------------------------------------------------------------
 .../org/apache/hive/jdbc/TestJdbcDriver2.java   | 20 ++++++++++++++
 .../apache/hive/jdbc/HivePreparedStatement.java | 28 +++++++++++++++++---
 2 files changed, 45 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/63df4296/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java
----------------------------------------------------------------------
diff --git 
a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java 
b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java
index 6e9223a..c2b4ce4 100644
--- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java
+++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java
@@ -45,6 +45,7 @@ import org.junit.rules.ExpectedException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.io.ByteArrayInputStream;
 import java.io.InputStream;
 import java.lang.Exception;
 import java.lang.Object;
@@ -491,6 +492,25 @@ public class TestJdbcDriver2 {
         expectedException);
   }
 
+  @Test
+  public void testPrepareStatementWithSetBinaryStream() throws SQLException {
+    PreparedStatement stmt = con.prepareStatement("select under_col from " + 
tableName + " where value=?");
+    stmt.setBinaryStream(1, new ByteArrayInputStream("'val_238' or under_col 
<> 0".getBytes()));
+    ResultSet res = stmt.executeQuery();
+    assertFalse(res.next());
+  }
+
+  @Test
+  public void testPrepareStatementWithSetString() throws SQLException {
+    PreparedStatement stmt = con.prepareStatement("select under_col from " + 
tableName + " where value=?");
+    stmt.setString(1, "val_238\\' or under_col <> 0 --");
+    ResultSet res = stmt.executeQuery();
+    assertFalse(res.next());
+    stmt.setString(1,  "anyStringHere\\' or 1=1 --");
+    res = stmt.executeQuery();
+    assertFalse(res.next());
+  }
+
   private PreparedStatement createPreapredStatementUsingSetObject(String sql) 
throws SQLException {
     PreparedStatement ps = con.prepareStatement(sql);
 

http://git-wip-us.apache.org/repos/asf/hive/blob/63df4296/jdbc/src/java/org/apache/hive/jdbc/HivePreparedStatement.java
----------------------------------------------------------------------
diff --git a/jdbc/src/java/org/apache/hive/jdbc/HivePreparedStatement.java 
b/jdbc/src/java/org/apache/hive/jdbc/HivePreparedStatement.java
index b842634..a455a6d 100644
--- a/jdbc/src/java/org/apache/hive/jdbc/HivePreparedStatement.java
+++ b/jdbc/src/java/org/apache/hive/jdbc/HivePreparedStatement.java
@@ -276,7 +276,7 @@ public class HivePreparedStatement extends HiveStatement 
implements PreparedStat
 
   public void setBinaryStream(int parameterIndex, InputStream x) throws 
SQLException {
     String str = new Scanner(x, "UTF-8").useDelimiter("\\A").next();
-    this.parameters.put(parameterIndex, str);
+    setString(parameterIndex, str);
   }
 
   /*
@@ -696,6 +696,27 @@ public class HivePreparedStatement extends HiveStatement 
implements PreparedStat
     this.parameters.put(parameterIndex,""+x);
   }
 
+  private String replaceBackSlashSingleQuote(String x) {
+    // scrutinize escape pair, specifically, replace \' to '
+    StringBuffer newX = new StringBuffer();
+    for (int i = 0; i < x.length(); i++) {
+      char c = x.charAt(i);
+      if (c == '\\' && i < x.length()-1) {
+        char c1 = x.charAt(i+1);
+        if (c1 == '\'') {
+          newX.append(c1);
+        } else {
+          newX.append(c);
+          newX.append(c1);
+        }
+        i++;
+      } else {
+        newX.append(c);
+      }
+    }
+    return newX.toString();
+  }
+
   /*
    * (non-Javadoc)
    *
@@ -703,8 +724,9 @@ public class HivePreparedStatement extends HiveStatement 
implements PreparedStat
    */
 
   public void setString(int parameterIndex, String x) throws SQLException {
-     x=x.replace("'", "\\'");
-     this.parameters.put(parameterIndex,"'"+x+"'");
+    x = replaceBackSlashSingleQuote(x);
+    x=x.replace("'", "\\'");
+    this.parameters.put(parameterIndex, "'"+x+"'");
   }
 
   /*

Reply via email to