[
https://issues.apache.org/jira/browse/HIVE-20551?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Laszlo Pinter updated HIVE-20551:
---------------------------------
Description:
In the MetaStoreDirectSql class when IN clause is used, the query statement is
created via string concatenation.
Since JDBC API allows only one literal for one “?” parameter, PreparedStatement
doesn’t work for IN clause queries. To create the PreparedStatement query
dynamically based on the size of the elements in IN clause, the makeParams()
should be used instead of concatenation.
was:
In the MetaStoreDirectSql class when IN clause is used, the query statement is
created via string concatenation, meaning that an attacker could change the
statement meaning or insert arbitrary SQL commands.
Since JDBC API allows only one literal for one “?” parameter, PreparedStatement
doesn’t work for IN clause queries. To create the PreparedStatement query
dynamically based on the size of the elements in IN clause, the makeParams()
should be used instead of concatenation.
> Create PreparedStatement query dynamically when IN clause is used
> -----------------------------------------------------------------
>
> Key: HIVE-20551
> URL: https://issues.apache.org/jira/browse/HIVE-20551
> Project: Hive
> Issue Type: Bug
> Reporter: Laszlo Pinter
> Assignee: Laszlo Pinter
> Priority: Major
>
> In the MetaStoreDirectSql class when IN clause is used, the query statement
> is created via string concatenation.
> Since JDBC API allows only one literal for one “?” parameter,
> PreparedStatement doesn’t work for IN clause queries. To create the
> PreparedStatement query dynamically based on the size of the elements in IN
> clause, the makeParams() should be used instead of concatenation.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
