[
https://issues.apache.org/jira/browse/NIFI-978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16361342#comment-16361342
]
ASF subversion and git services commented on NIFI-978:
------------------------------------------------------
Commit b5ca7adbb97c603cbc721e105c4fe279cdcb085b in nifi's branch
refs/heads/master from [~ca9mbu]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=b5ca7ad ]
NIFI-978: Support parameterized statements in ExecuteSQL
Signed-off-by: Pierre Villard <[email protected]>
This closes #2433.
> Support parameterized prepared statements in ExecuteSQL
> -------------------------------------------------------
>
> Key: NIFI-978
> URL: https://issues.apache.org/jira/browse/NIFI-978
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Extensions
> Reporter: Daryl Teo
> Assignee: Matt Burgess
> Priority: Minor
> Fix For: 1.6.0
>
>
> PutSQL and ExecuteSQL are highly inconsistent and leads to confusion.
> - PutSQL relies on FlowFile content to execute it's statement.
> - ExecuteSQL relies on SQL Select Command attribute
> - PutSQL supports parameterized statements through sql.args attributes
> - ExecuteSQL relies on Expression Language to insert dynamic properties
> The reliance on expression language for ExecuteSQL may also lead to potential
> SQL injection if one is not careful as it is a string replacement.
> Therefore in the interest of reliability and consistency I highly recommend
> that the SQL processors be standardised.
> Note: I prefer the sql command attribute for running SQL as opposed to the
> (lower visibility) content based command specification. Having the query
> attribute of ExecuteSQL, with the sql.args attributes of PutSQL would be a
> great improvement. If you support this, I will create a new issue in Jira.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
