[GitHub] [spark] grundprinzip commented on a diff in pull request #40508: [MINOR][SQL][CONNECT][PYTHON] Clarify the comment of parameterized SQL args
grundprinzip commented on code in PR #40508: URL: https://github.com/apache/spark/pull/40508#discussion_r1143612707 ## connector/connect/client/jvm/src/main/scala/org/apache/spark/sql/SparkSession.scala: ## @@ -213,7 +213,9 @@ class SparkSession private[sql] ( * @param sqlText * A SQL statement with named parameters to execute. * @param args - * A map of parameter names to literal values. + * A map of parameter names to string values that are parsed as SQL literal expressions. Review Comment: What I say remains true, you have to have significant internal knowledge of how the implementation works to understand what happens. For the user of the API, it's not clear how the input values are (parsed|interpreted|processed). This is a security concern and should be treated as such. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] grundprinzip commented on a diff in pull request #40508: [MINOR][SQL][CONNECT][PYTHON] Clarify the comment of parameterized SQL args
grundprinzip commented on code in PR #40508: URL: https://github.com/apache/spark/pull/40508#discussion_r1143577084 ## connector/connect/client/jvm/src/main/scala/org/apache/spark/sql/SparkSession.scala: ## @@ -213,7 +213,9 @@ class SparkSession private[sql] ( * @param sqlText * A SQL statement with named parameters to execute. * @param args - * A map of parameter names to literal values. + * A map of parameter names to string values that are parsed as SQL literal expressions. Review Comment: ``` DATE'2023-03-21' ``` Essentially says parse this literal as a date and the output expression will be a date. This means you're interpreting the input, am I mistaken? The core part is that users of the API will see that it supports parameter substitution and will believe it provides the same guarantees of fixed literals as for example prepared statements which is not the case. You're not able to perform full SQL injection using this API but it's enough that you can't blindly mix trusted and untrusted input. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] grundprinzip commented on a diff in pull request #40508: [MINOR][SQL][CONNECT][PYTHON] Clarify the comment of parameterized SQL args
grundprinzip commented on code in PR #40508: URL: https://github.com/apache/spark/pull/40508#discussion_r1143538305 ## connector/connect/client/jvm/src/main/scala/org/apache/spark/sql/SparkSession.scala: ## @@ -213,7 +213,9 @@ class SparkSession private[sql] ( * @param sqlText * A SQL statement with named parameters to execute. * @param args - * A map of parameter names to literal values. + * A map of parameter names to string values that are parsed as SQL literal expressions. Review Comment: ```suggestion * A map of parameter names to string values that are parsed as fragments of SQL text and interpreted as literal expressions. The parameter bindings do not provide any safety guarantees on how the SQL fragment is interpreted and should not be treated as fixed values like in prepared statements. ``` I think we need to be much much clearer on what the actual behavior is. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org