SQL Parameter values may contain sensitive information and should not be logged
by default.
-------------------------------------------------------------------------------------------
Key: OPENJPA-1678
URL: https://issues.apache.org/jira/browse/OPENJPA-1678
Project: OpenJPA
Issue Type: Bug
Affects Versions: 2.0.0, 1.2.2, 1.1.0, 1.0.3, 2.1.0
Reporter: Michael Dick
Assignee: Michael Dick
Fix For: 1.0.4, 1.2.3, 2.0.1, 2.1.0
The values for parameters used in our SQL statements may contain sensitive
information (e.g. social security numbers). By default these values are printed
in the exception message and in SQL trace. Having the values printed can be a
great help when debugging an application - but presents a risk when used in
production.
To resolve the issue I propose to disable printing the parameter values by
default. The parameter values will still be tracked internally - but will not
be displayed in exception messages or trace unless the following property is
set :
<property name="openjpa.ConnectionFactoryProperties"
value="printParameters=true"/>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
