grundprinzip commented on code in PR #40508:
URL: https://github.com/apache/spark/pull/40508#discussion_r1143577084
##########
connector/connect/client/jvm/src/main/scala/org/apache/spark/sql/SparkSession.scala:
##########
@@ -213,7 +213,9 @@ class SparkSession private[sql] (
* @param sqlText
* A SQL statement with named parameters to execute.
* @param args
- * A map of parameter names to literal values.
+ * A map of parameter names to string values that are parsed as SQL
literal expressions.
Review Comment:
```
DATE'2023-03-21'
```
Essentially says parse this literal as a date and the output expression will
be a date. This means you're interpreting the input, am I mistaken?
The core part is that users of the API will see that it supports parameter
substitution and will believe it provides the same guarantees of fixed literals
as for example prepared statements which is not the case. You're not able to
perform full SQL injection using this API but it's enough that you can't
blindly mix trusted and untrusted input.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org
