[jira] [Commented] (DRILL-6215) Use prepared statement instead of Statement in JdbcRecordReader class
[ https://issues.apache.org/jira/browse/DRILL-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17013705#comment-17013705 ] ASF GitHub Bot commented on DRILL-6215: --- vvysotskyi commented on issue #1159: DRILL-6215: Changed Statement to PreparedStatement in JdbcRecordReader URL: https://github.com/apache/drill/pull/1159#issuecomment-573404984 Fixed in https://github.com/apache/drill/commit/4f55e71dc971d42054a031acd000ddf8337e90d9 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use prepared statement instead of Statement in JdbcRecordReader class > - > > Key: DRILL-6215 > URL: https://issues.apache.org/jira/browse/DRILL-6215 > Project: Apache Drill > Issue Type: Bug > Components: Storage - JDBC >Affects Versions: 1.12.0 >Reporter: Khurram Faraaz >Assignee: Igor Guzenko >Priority: Major > Fix For: 1.18.0 > > > Use prepared statement instead of Statement in JdbcRecordReader class, which > is more efficient and less vulnerable to SQL injection attacks. > Apache Drill 1.13.0-SNAPSHOT, commit : > 9073aed67d89e8b2188870d6c812706085c9c41b > Findbugs reports the below bug and suggests that we use prepared statement > instead of Statement. > {noformat} > In class org.apache.drill.exec.store.jdbc.JdbcRecordReader > In method > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) > At JdbcRecordReader.java:[line 170] > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) passes a nonconstant String to an execute method on an SQL > statement > The method invokes the execute method on an SQL statement with a String that > seems to be dynamically generated. > Consider using a prepared statement instead. > It is more efficient and less vulnerable to SQL injection attacks. > {noformat} > LOC - > https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170 > {noformat} > To run with findbugs: > mvn clean install -Pfindbugs -DskipTests > Findbugs will wirite the output to finbugsXml.html in the target directory of > each module. > For example the java-exec module report is located at: > ./exec/java-exec/target/findbugs/findbugsXml.html > Use > find . -name "findbugsXml.html" > to locate the files. > {noformat} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (DRILL-6215) Use prepared statement instead of Statement in JdbcRecordReader class
[ https://issues.apache.org/jira/browse/DRILL-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17013706#comment-17013706 ] ASF GitHub Bot commented on DRILL-6215: --- vvysotskyi commented on pull request #1159: DRILL-6215: Changed Statement to PreparedStatement in JdbcRecordReader URL: https://github.com/apache/drill/pull/1159 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use prepared statement instead of Statement in JdbcRecordReader class > - > > Key: DRILL-6215 > URL: https://issues.apache.org/jira/browse/DRILL-6215 > Project: Apache Drill > Issue Type: Bug > Components: Storage - JDBC >Affects Versions: 1.12.0 >Reporter: Khurram Faraaz >Assignee: Igor Guzenko >Priority: Major > Fix For: 1.18.0 > > > Use prepared statement instead of Statement in JdbcRecordReader class, which > is more efficient and less vulnerable to SQL injection attacks. > Apache Drill 1.13.0-SNAPSHOT, commit : > 9073aed67d89e8b2188870d6c812706085c9c41b > Findbugs reports the below bug and suggests that we use prepared statement > instead of Statement. > {noformat} > In class org.apache.drill.exec.store.jdbc.JdbcRecordReader > In method > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) > At JdbcRecordReader.java:[line 170] > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) passes a nonconstant String to an execute method on an SQL > statement > The method invokes the execute method on an SQL statement with a String that > seems to be dynamically generated. > Consider using a prepared statement instead. > It is more efficient and less vulnerable to SQL injection attacks. > {noformat} > LOC - > https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170 > {noformat} > To run with findbugs: > mvn clean install -Pfindbugs -DskipTests > Findbugs will wirite the output to finbugsXml.html in the target directory of > each module. > For example the java-exec module report is located at: > ./exec/java-exec/target/findbugs/findbugsXml.html > Use > find . -name "findbugsXml.html" > to locate the files. > {noformat} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (DRILL-6215) Use prepared statement instead of Statement in JdbcRecordReader class
[ https://issues.apache.org/jira/browse/DRILL-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16668587#comment-16668587 ] Vitalii Diravka commented on DRILL-6215: [~khfaraaz] It may be useful to make it configurable. Possibly the type of {{java.sql.Statement}} can be specified in the RDBMS Storage Plugin configs. > Use prepared statement instead of Statement in JdbcRecordReader class > - > > Key: DRILL-6215 > URL: https://issues.apache.org/jira/browse/DRILL-6215 > Project: Apache Drill > Issue Type: Bug > Components: Storage - JDBC >Affects Versions: 1.12.0 >Reporter: Khurram Faraaz >Assignee: Khurram Faraaz >Priority: Major > Fix For: Future > > > Use prepared statement instead of Statement in JdbcRecordReader class, which > is more efficient and less vulnerable to SQL injection attacks. > Apache Drill 1.13.0-SNAPSHOT, commit : > 9073aed67d89e8b2188870d6c812706085c9c41b > Findbugs reports the below bug and suggests that we use prepared statement > instead of Statement. > {noformat} > In class org.apache.drill.exec.store.jdbc.JdbcRecordReader > In method > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) > At JdbcRecordReader.java:[line 170] > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) passes a nonconstant String to an execute method on an SQL > statement > The method invokes the execute method on an SQL statement with a String that > seems to be dynamically generated. > Consider using a prepared statement instead. > It is more efficient and less vulnerable to SQL injection attacks. > {noformat} > LOC - > https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170 > {noformat} > To run with findbugs: > mvn clean install -Pfindbugs -DskipTests > Findbugs will wirite the output to finbugsXml.html in the target directory of > each module. > For example the java-exec module report is located at: > ./exec/java-exec/target/findbugs/findbugsXml.html > Use > find . -name "findbugsXml.html" > to locate the files. > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DRILL-6215) Use prepared statement instead of Statement in JdbcRecordReader class
[ https://issues.apache.org/jira/browse/DRILL-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16583740#comment-16583740 ] ASF GitHub Bot commented on DRILL-6215: --- arina-ielchiieva commented on issue #1159: DRILL-6215: Changed Statement to PreparedStatement in JdbcRecordReader URL: https://github.com/apache/drill/pull/1159#issuecomment-413822555 @kfaraaz did you have a chance to address issue with second file? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use prepared statement instead of Statement in JdbcRecordReader class > - > > Key: DRILL-6215 > URL: https://issues.apache.org/jira/browse/DRILL-6215 > Project: Apache Drill > Issue Type: Bug > Components: Storage - JDBC >Affects Versions: 1.12.0 >Reporter: Khurram Faraaz >Priority: Major > > Use prepared statement instead of Statement in JdbcRecordReader class, which > is more efficient and less vulnerable to SQL injection attacks. > Apache Drill 1.13.0-SNAPSHOT, commit : > 9073aed67d89e8b2188870d6c812706085c9c41b > Findbugs reports the below bug and suggests that we use prepared statement > instead of Statement. > {noformat} > In class org.apache.drill.exec.store.jdbc.JdbcRecordReader > In method > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) > At JdbcRecordReader.java:[line 170] > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) passes a nonconstant String to an execute method on an SQL > statement > The method invokes the execute method on an SQL statement with a String that > seems to be dynamically generated. > Consider using a prepared statement instead. > It is more efficient and less vulnerable to SQL injection attacks. > {noformat} > LOC - > https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170 > {noformat} > To run with findbugs: > mvn clean install -Pfindbugs -DskipTests > Findbugs will wirite the output to finbugsXml.html in the target directory of > each module. > For example the java-exec module report is located at: > ./exec/java-exec/target/findbugs/findbugsXml.html > Use > find . -name "findbugsXml.html" > to locate the files. > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DRILL-6215) Use prepared statement instead of Statement in JdbcRecordReader class
[ https://issues.apache.org/jira/browse/DRILL-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16403090#comment-16403090 ] ASF GitHub Bot commented on DRILL-6215: --- Github user kfaraaz commented on the issue: https://github.com/apache/drill/pull/1159 I don't know about the other file, I didn't add it. Let me check. Thanks, Khurram > Use prepared statement instead of Statement in JdbcRecordReader class > - > > Key: DRILL-6215 > URL: https://issues.apache.org/jira/browse/DRILL-6215 > Project: Apache Drill > Issue Type: Bug > Components: Storage - JDBC >Affects Versions: 1.12.0 >Reporter: Khurram Faraaz >Priority: Major > > Use prepared statement instead of Statement in JdbcRecordReader class, which > is more efficient and less vulnerable to SQL injection attacks. > Apache Drill 1.13.0-SNAPSHOT, commit : > 9073aed67d89e8b2188870d6c812706085c9c41b > Findbugs reports the below bug and suggests that we use prepared statement > instead of Statement. > {noformat} > In class org.apache.drill.exec.store.jdbc.JdbcRecordReader > In method > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) > At JdbcRecordReader.java:[line 170] > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) passes a nonconstant String to an execute method on an SQL > statement > The method invokes the execute method on an SQL statement with a String that > seems to be dynamically generated. > Consider using a prepared statement instead. > It is more efficient and less vulnerable to SQL injection attacks. > {noformat} > LOC - > https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170 > {noformat} > To run with findbugs: > mvn clean install -Pfindbugs -DskipTests > Findbugs will wirite the output to finbugsXml.html in the target directory of > each module. > For example the java-exec module report is located at: > ./exec/java-exec/target/findbugs/findbugsXml.html > Use > find . -name "findbugsXml.html" > to locate the files. > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DRILL-6215) Use prepared statement instead of Statement in JdbcRecordReader class
[ https://issues.apache.org/jira/browse/DRILL-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16400980#comment-16400980 ] ASF GitHub Bot commented on DRILL-6215: --- Github user kkhatua commented on the issue: https://github.com/apache/drill/pull/1159 @kfaraaz Are there unit tests specific to the JDBC Storage Plugin? They're not the same as the JDBC unit tests, which test the Drill JDBC driver. While the change seems straightforward, I'm not sure if all JDBC drivers support PreparedStatement. For e.g., within Drill, the PreparedStatement is executed as a standard Statement object, which is why this _works_ functionally. What happens if a JDBC driver backing the JDBC storage plugin does not support PreparedStatement (i.e. it is a No-Op)? > Use prepared statement instead of Statement in JdbcRecordReader class > - > > Key: DRILL-6215 > URL: https://issues.apache.org/jira/browse/DRILL-6215 > Project: Apache Drill > Issue Type: Bug > Components: Storage - JDBC >Affects Versions: 1.12.0 >Reporter: Khurram Faraaz >Priority: Major > > Use prepared statement instead of Statement in JdbcRecordReader class, which > is more efficient and less vulnerable to SQL injection attacks. > Apache Drill 1.13.0-SNAPSHOT, commit : > 9073aed67d89e8b2188870d6c812706085c9c41b > Findbugs reports the below bug and suggests that we use prepared statement > instead of Statement. > {noformat} > In class org.apache.drill.exec.store.jdbc.JdbcRecordReader > In method > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) > At JdbcRecordReader.java:[line 170] > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) passes a nonconstant String to an execute method on an SQL > statement > The method invokes the execute method on an SQL statement with a String that > seems to be dynamically generated. > Consider using a prepared statement instead. > It is more efficient and less vulnerable to SQL injection attacks. > {noformat} > LOC - > https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170 > {noformat} > To run with findbugs: > mvn clean install -Pfindbugs -DskipTests > Findbugs will wirite the output to finbugsXml.html in the target directory of > each module. > For example the java-exec module report is located at: > ./exec/java-exec/target/findbugs/findbugsXml.html > Use > find . -name "findbugsXml.html" > to locate the files. > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DRILL-6215) Use prepared statement instead of Statement in JdbcRecordReader class
[ https://issues.apache.org/jira/browse/DRILL-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16393868#comment-16393868 ] ASF GitHub Bot commented on DRILL-6215: --- GitHub user kfaraaz opened a pull request: https://github.com/apache/drill/pull/1159 DRILL-6215: Changed Statement to PreparedStatement in JdbcRecordReader @bitblender Can you please review ? You can merge this pull request into a Git repository by running: $ git pull https://github.com/kfaraaz/drill DRILL-6215 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/drill/pull/1159.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1159 commit c8e16b54323cfcef90f8633474571cdf3bfb7cf9 Author: Khurram FaraazDate: 2018-03-10T00:30:10Z DRILL-6215: Changed Statement to PreparedStatement in JdbcRecordReader > Use prepared statement instead of Statement in JdbcRecordReader class > - > > Key: DRILL-6215 > URL: https://issues.apache.org/jira/browse/DRILL-6215 > Project: Apache Drill > Issue Type: Bug > Components: Storage - JDBC >Affects Versions: 1.12.0 >Reporter: Khurram Faraaz >Priority: Major > > Use prepared statement instead of Statement in JdbcRecordReader class, which > is more efficient and less vulnerable to SQL injection attacks. > Apache Drill 1.13.0-SNAPSHOT, commit : > 9073aed67d89e8b2188870d6c812706085c9c41b > Findbugs reports the below bug and suggests that we use prepared statement > instead of Statement. > {noformat} > In class org.apache.drill.exec.store.jdbc.JdbcRecordReader > In method > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) > At JdbcRecordReader.java:[line 170] > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) passes a nonconstant String to an execute method on an SQL > statement > The method invokes the execute method on an SQL statement with a String that > seems to be dynamically generated. > Consider using a prepared statement instead. > It is more efficient and less vulnerable to SQL injection attacks. > {noformat} > LOC - > https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170 > {noformat} > To run with findbugs: > mvn clean install -Pfindbugs -DskipTests > Findbugs will wirite the output to finbugsXml.html in the target directory of > each module. > For example the java-exec module report is located at: > ./exec/java-exec/target/findbugs/findbugsXml.html > Use > find . -name "findbugsXml.html" > to locate the files. > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)