Pierre Villard updated NIFI-978:
       Resolution: Fixed
    Fix Version/s: 1.6.0
           Status: Resolved  (was: Patch Available)

> Support parameterized prepared statements in ExecuteSQL
> -------------------------------------------------------
>                 Key: NIFI-978
>                 URL: https://issues.apache.org/jira/browse/NIFI-978
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>            Reporter: Daryl Teo
>            Assignee: Matt Burgess
>            Priority: Minor
>             Fix For: 1.6.0
> PutSQL and ExecuteSQL are highly inconsistent and leads to confusion.
> - PutSQL relies on FlowFile content to execute it's statement.
> - ExecuteSQL relies on SQL Select Command attribute
> - PutSQL supports parameterized statements through sql.args attributes
> - ExecuteSQL relies on Expression Language to insert dynamic properties
> The reliance on expression language for ExecuteSQL may also lead to potential 
> SQL injection if one is not careful as it is a string replacement.
> Therefore in the interest of reliability and consistency I highly recommend 
> that the SQL processors be standardised.
> Note: I prefer the sql command attribute for running SQL as opposed to the 
> (lower visibility) content based command specification. Having the query 
> attribute of ExecuteSQL, with the sql.args attributes of PutSQL would be a 
> great improvement. If you support this, I will create a new issue in Jira.

This message was sent by Atlassian JIRA

Reply via email to