[
https://issues.apache.org/jira/browse/DRILL-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16400980#comment-16400980
]
ASF GitHub Bot commented on DRILL-6215:
---------------------------------------
Github user kkhatua commented on the issue:
https://github.com/apache/drill/pull/1159
@kfaraaz Are there unit tests specific to the JDBC Storage Plugin? They're
not the same as the JDBC unit tests, which test the Drill JDBC driver.
While the change seems straightforward, I'm not sure if all JDBC drivers
support PreparedStatement. For e.g., within Drill, the PreparedStatement is
executed as a standard Statement object, which is why this _works_ functionally.
What happens if a JDBC driver backing the JDBC storage plugin does not
support PreparedStatement (i.e. it is a No-Op)?
> Use prepared statement instead of Statement in JdbcRecordReader class
> ---------------------------------------------------------------------
>
> Key: DRILL-6215
> URL: https://issues.apache.org/jira/browse/DRILL-6215
> Project: Apache Drill
> Issue Type: Bug
> Components: Storage - JDBC
> Affects Versions: 1.12.0
> Reporter: Khurram Faraaz
> Priority: Major
>
> Use prepared statement instead of Statement in JdbcRecordReader class, which
> is more efficient and less vulnerable to SQL injection attacks.
> Apache Drill 1.13.0-SNAPSHOT, commit :
> 9073aed67d89e8b2188870d6c812706085c9c41b
> Findbugs reports the below bug and suggests that we use prepared statement
> instead of Statement.
> {noformat}
> In class org.apache.drill.exec.store.jdbc.JdbcRecordReader
> In method
> org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext,
> OutputMutator)
> At JdbcRecordReader.java:[line 170]
> org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext,
> OutputMutator) passes a nonconstant String to an execute method on an SQL
> statement
> The method invokes the execute method on an SQL statement with a String that
> seems to be dynamically generated.
> Consider using a prepared statement instead.
> It is more efficient and less vulnerable to SQL injection attacks.
> {noformat}
> LOC -
> https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170
> {noformat}
> To run with findbugs:
> mvn clean install -Pfindbugs -DskipTests
> Findbugs will wirite the output to finbugsXml.html in the target directory of
> each module.
> For example the java-exec module report is located at:
> ./exec/java-exec/target/findbugs/findbugsXml.html
> Use
> find . -name "findbugsXml.html"
> to locate the files.
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
