[ https://issues.apache.org/jira/browse/PHOENIX-6560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Istvan Toth resolved PHOENIX-6560. ---------------------------------- Fix Version/s: 5.2.0 Resolution: Fixed Committed to master. Thanks for the patch [~kabhishek4] . > Rewrite dynamic SQL queries to use Preparedstatement > ---------------------------------------------------- > > Key: PHOENIX-6560 > URL: https://issues.apache.org/jira/browse/PHOENIX-6560 > Project: Phoenix > Issue Type: Improvement > Components: core > Reporter: Istvan Toth > Assignee: Abhishek Kothalikar > Priority: Major > Fix For: 5.2.0 > > > Most of the Phoenix code base already uses PreparedStatements, and adds all > potentially vulnerable data as parameters. > However, there are some places where we concatenate potentially problematic > strings into the query. > While most of those are constants and such, we should preferably pass all > data as parameters to be on the safe side. > (We still have to use dynamic strings for the preparedstatement strings, for > handling things as is null, empty in clauses and such) > Spotbugs marks these with SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE, so > they're easy to find. -- This message was sent by Atlassian Jira (v8.20.10#820010)