[jira] [Commented] (PHOENIX-6560) Rewrite dynamic SQL queries to use Preparedstatement

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/PHOENIX-6560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17713892#comment-17713892
 ] 

ASF GitHub Bot commented on PHOENIX-6560:
-----------------------------------------

kabhishek4 commented on code in PR #1586:
URL: https://github.com/apache/phoenix/pull/1586#discussion_r1170807503


##########
phoenix-core/src/main/java/org/apache/phoenix/mapreduce/index/IndexTool.java:
##########
@@ -598,18 +599,31 @@ private Job configureJobForPartialBuild() throws 
Exception {
         }
         
         private long getMaxRebuildAsyncDate(String schemaName, List<String> 
disableIndexes) throws SQLException {
-            Long maxRebuilAsyncDate=HConstants.LATEST_TIMESTAMP;
-            Long maxDisabledTimeStamp=0L;
-            if (disableIndexes == null || disableIndexes.isEmpty()) { return 
0; }
+            Long maxRebuilAsyncDate = HConstants.LATEST_TIMESTAMP;
+            Long maxDisabledTimeStamp = 0L;
+            if (disableIndexes == null || disableIndexes.isEmpty()) {
+                return 0;
+            }
             List<String> quotedIndexes = new 
ArrayList<String>(disableIndexes.size());

Review Comment:
   I have addressed this comment in somewhat different way. Added 
    void setQuoteInListElements(PreparedStatement ps, String unQuotedString,
           int index) 
   which will add quotes to one of the elements and set it to the correct index 
of prepared statement. Using which one of the loops got eliminated. This 
version of setQuoteInListElements can further be overloaded as appropriate. I 
hope that's ok.





> Rewrite dynamic SQL queries to use Preparedstatement
> ----------------------------------------------------
>
>                 Key: PHOENIX-6560
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-6560
>             Project: Phoenix
>          Issue Type: Improvement
>          Components: core
>            Reporter: Istvan Toth
>            Assignee: Abhishek Kothalikar
>            Priority: Major
>
> Most of the Phoenix code base already uses PreparedStatements, and adds all 
> potentially vulnerable data as parameters.
> However, there are some places where we concatenate potentially problematic 
> strings into the query.
> While most of those are constants and such, we should preferably pass all 
> data as parameters to be on the safe side.
> (We still have to use dynamic strings for the preparedstatement strings, for 
> handling things as is null, empty in clauses and such)
> Spotbugs marks these with SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE, so 
> they're easy to find.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)