Laszlo Pinter created HIVE-20551:
------------------------------------
Summary: Create PreparedStatement query dynamically when IN clause
is used
Key: HIVE-20551
URL: https://issues.apache.org/jira/browse/HIVE-20551
Project: Hive
Issue Type: Bug
Reporter: Laszlo Pinter
Assignee: Laszlo Pinter
In the MetaStoreDirectSql class when IN clause is used, the query statement is
created via string concatenation, meaning that an attacker could change the
statement meaning or insert arbitrary SQL commands.
Since JDBC API allows only one literal for one “?” parameter, PreparedStatement
doesn’t work for IN clause queries. To create the PreparedStatement query
dynamically based on the size of the elements in IN clause, the makeParams()
should be used instead of concatenation.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
