[jira] [Assigned] (DRILL-6215) Use prepared statement instead of Statement in JdbcRecordReader class
[
https://issues.apache.org/jira/browse/DRILL-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Arina Ielchiieva reassigned DRILL-6215:
---
Assignee: Igor Guzenko (was: Khurram Faraaz)
> Use prepared statement instead of Statement in JdbcRecordReader class
> -
>
> Key: DRILL-6215
> URL: https://issues.apache.org/jira/browse/DRILL-6215
> Project: Apache Drill
> Issue Type: Bug
> Components: Storage - JDBC
>Affects Versions: 1.12.0
>Reporter: Khurram Faraaz
>Assignee: Igor Guzenko
>Priority: Major
> Fix For: Future
>
>
> Use prepared statement instead of Statement in JdbcRecordReader class, which
> is more efficient and less vulnerable to SQL injection attacks.
> Apache Drill 1.13.0-SNAPSHOT, commit :
> 9073aed67d89e8b2188870d6c812706085c9c41b
> Findbugs reports the below bug and suggests that we use prepared statement
> instead of Statement.
> {noformat}
> In class org.apache.drill.exec.store.jdbc.JdbcRecordReader
> In method
> org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext,
> OutputMutator)
> At JdbcRecordReader.java:[line 170]
> org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext,
> OutputMutator) passes a nonconstant String to an execute method on an SQL
> statement
> The method invokes the execute method on an SQL statement with a String that
> seems to be dynamically generated.
> Consider using a prepared statement instead.
> It is more efficient and less vulnerable to SQL injection attacks.
> {noformat}
> LOC -
> https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170
> {noformat}
> To run with findbugs:
> mvn clean install -Pfindbugs -DskipTests
> Findbugs will wirite the output to finbugsXml.html in the target directory of
> each module.
> For example the java-exec module report is located at:
> ./exec/java-exec/target/findbugs/findbugsXml.html
> Use
> find . -name "findbugsXml.html"
> to locate the files.
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Assigned] (DRILL-6215) Use prepared statement instead of Statement in JdbcRecordReader class
[
https://issues.apache.org/jira/browse/DRILL-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vitalii Diravka reassigned DRILL-6215:
--
Assignee: Khurram Faraaz
> Use prepared statement instead of Statement in JdbcRecordReader class
> -
>
> Key: DRILL-6215
> URL: https://issues.apache.org/jira/browse/DRILL-6215
> Project: Apache Drill
> Issue Type: Bug
> Components: Storage - JDBC
>Affects Versions: 1.12.0
>Reporter: Khurram Faraaz
>Assignee: Khurram Faraaz
>Priority: Major
> Fix For: Future
>
>
> Use prepared statement instead of Statement in JdbcRecordReader class, which
> is more efficient and less vulnerable to SQL injection attacks.
> Apache Drill 1.13.0-SNAPSHOT, commit :
> 9073aed67d89e8b2188870d6c812706085c9c41b
> Findbugs reports the below bug and suggests that we use prepared statement
> instead of Statement.
> {noformat}
> In class org.apache.drill.exec.store.jdbc.JdbcRecordReader
> In method
> org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext,
> OutputMutator)
> At JdbcRecordReader.java:[line 170]
> org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext,
> OutputMutator) passes a nonconstant String to an execute method on an SQL
> statement
> The method invokes the execute method on an SQL statement with a String that
> seems to be dynamically generated.
> Consider using a prepared statement instead.
> It is more efficient and less vulnerable to SQL injection attacks.
> {noformat}
> LOC -
> https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170
> {noformat}
> To run with findbugs:
> mvn clean install -Pfindbugs -DskipTests
> Findbugs will wirite the output to finbugsXml.html in the target directory of
> each module.
> For example the java-exec module report is located at:
> ./exec/java-exec/target/findbugs/findbugsXml.html
> Use
> find . -name "findbugsXml.html"
> to locate the files.
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
