[
https://issues.apache.org/jira/browse/PHOENIX-3613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15832036#comment-15832036
]
Josh Elser commented on PHOENIX-3613:
-------------------------------------
+1 LGTM. Thanks [~rajeshbabu]!
> Avoid possible SQL Injection with proper input validations
> ----------------------------------------------------------
>
> Key: PHOENIX-3613
> URL: https://issues.apache.org/jira/browse/PHOENIX-3613
> Project: Phoenix
> Issue Type: Bug
> Reporter: Rajeshbabu Chintaguntla
> Assignee: Rajeshbabu Chintaguntla
> Attachments: PHOENIX-3613.patch
>
>
> There are possible SQL injections :
> Issue 1 :
> *Overview* : On line 139 of PhoenixUtil.java, the method
> executeStatementThrowException() invokes a SQL query built using input coming
> from an untrusted source. This call could allow an attacker to modify the
> statement's meaning or to execute arbitrary SQL commands.
> *Comment* : As the source SQL query can have IN clause in SQL statement,
> please use this link to fix
> http://stackoverflow.com/questions/3107044/preparedstatement-with-list-of-parameters-in-a-in-clause
> Issue 2 :
> *Overview* : On line 60 of EntityFactory.java, the method findMultiple()
> invokes a SQL query built using input coming from an untrusted source. This
> call could allow an attacker to modify the statement's meaning or to execute
> arbitrary SQL commands.
> *Comment* : Limit value can be misused as well.
> *Tagged* : Suspicious
> *Overview* : On line 154 of PhoenixUtil.java, the method executeStatement()
> invokes a SQL query built using input coming from an untrusted source. This
> call could allow an attacker to modify the statement's meaning or to execute
> arbitrary SQL commands.
> *Comment* : Applying schema to file?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
