[ https://issues.apache.org/jira/browse/DRILL-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16393868#comment-16393868 ]
ASF GitHub Bot commented on DRILL-6215: --------------------------------------- GitHub user kfaraaz opened a pull request: https://github.com/apache/drill/pull/1159 DRILL-6215: Changed Statement to PreparedStatement in JdbcRecordReader @bitblender Can you please review ? You can merge this pull request into a Git repository by running: $ git pull https://github.com/kfaraaz/drill DRILL-6215 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/drill/pull/1159.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1159 ---- commit c8e16b54323cfcef90f8633474571cdf3bfb7cf9 Author: Khurram Faraaz <kfaraaz@...> Date: 2018-03-10T00:30:10Z DRILL-6215: Changed Statement to PreparedStatement in JdbcRecordReader ---- > Use prepared statement instead of Statement in JdbcRecordReader class > --------------------------------------------------------------------- > > Key: DRILL-6215 > URL: https://issues.apache.org/jira/browse/DRILL-6215 > Project: Apache Drill > Issue Type: Bug > Components: Storage - JDBC > Affects Versions: 1.12.0 > Reporter: Khurram Faraaz > Priority: Major > > Use prepared statement instead of Statement in JdbcRecordReader class, which > is more efficient and less vulnerable to SQL injection attacks. > Apache Drill 1.13.0-SNAPSHOT, commit : > 9073aed67d89e8b2188870d6c812706085c9c41b > Findbugs reports the below bug and suggests that we use prepared statement > instead of Statement. > {noformat} > In class org.apache.drill.exec.store.jdbc.JdbcRecordReader > In method > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) > At JdbcRecordReader.java:[line 170] > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) passes a nonconstant String to an execute method on an SQL > statement > The method invokes the execute method on an SQL statement with a String that > seems to be dynamically generated. > Consider using a prepared statement instead. > It is more efficient and less vulnerable to SQL injection attacks. > {noformat} > LOC - > https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170 > {noformat} > To run with findbugs: > mvn clean install -Pfindbugs -DskipTests > Findbugs will wirite the output to finbugsXml.html in the target directory of > each module. > For example the java-exec module report is located at: > ./exec/java-exec/target/findbugs/findbugsXml.html > Use > find . -name "findbugsXml.html" > to locate the files. > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)