Khurram Faraaz created DRILL-6215: ------------------------------------- Summary: Use prepared statement instead of Statement in JdbcRecordReader class Key: DRILL-6215 URL: https://issues.apache.org/jira/browse/DRILL-6215 Project: Apache Drill Issue Type: Bug Components: Storage - JDBC Affects Versions: 1.12.0 Reporter: Khurram Faraaz
Use prepared statement instead of Statement in JdbcRecordReader class, which is more efficient and less vulnerable to SQL injection attacks. Apache Drill 1.13.0-SNAPSHOT, commit : 9073aed67d89e8b2188870d6c812706085c9c41b Findbugs reports the below bug and suggests that we use prepared statement instead of Statement. {noformat} In class org.apache.drill.exec.store.jdbc.JdbcRecordReader In method org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, OutputMutator) At JdbcRecordReader.java:[line 170] org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, OutputMutator) passes a nonconstant String to an execute method on an SQL statement The method invokes the execute method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks. {noformat} LOC - https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170 {noformat} To run with findbugs: mvn clean install -Pfindbugs -DskipTests Findbugs will wirite the output to finbugsXml.html in the target directory of each module. For example the java-exec module report is located at: ./exec/java-exec/target/findbugs/findbugsXml.html Use find . -name "findbugsXml.html" to locate the files. {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)