[jira] [Updated] (SPARK-30631) Mitigate SQL injections - can't parameterize query parameters for JDBC connectors

Dongjoon Hyun (Jira) Tue, 04 Feb 2020 12:07:04 -0800


     [ 
https://issues.apache.org/jira/browse/SPARK-30631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Dongjoon Hyun updated SPARK-30631:
----------------------------------
    Affects Version/s:     (was: 3.0.0)
                       3.1.0

> Mitigate SQL injections - can't parameterize query parameters for JDBC 
> connectors
> ---------------------------------------------------------------------------------
>
>                 Key: SPARK-30631
>                 URL: https://issues.apache.org/jira/browse/SPARK-30631
>             Project: Spark
>          Issue Type: Improvement
>          Components: Spark Core
>    Affects Versions: 3.1.0
>            Reporter: Jorge
>            Priority: Major
>              Labels: jdbc, security
>
> One of the options to read from a JDBC connection is a query.
> Sometimes, this query is parameterized (e.g. column name, values, etc).
> The JDBC API does not support parameterizing SQL queries, which puts the 
> burden of escaping SQL on the developer. This burden is unnecessary and a 
> security risk.
> Very often, drivers provide a specific API to securely parameterize SQL 
> statements.
> This issue proposes allowing the developers to pass "query" and "parameters" 
> to the JDBC options, so that it is the driver, not the developer, that escape 
> parameters.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (SPARK-30631) Mitigate SQL injections - can't parameterize query parameters for JDBC connectors

Reply via email to