subject:"\[GitHub\] \[spark\] grundprinzip commented on a diff in pull request #40508\: \[MINOR\]\[SQL\]\[CONNECT\]\[PYTHON\] Clarify the comment of parameterized SQL args"

[GitHub] [spark] grundprinzip commented on a diff in pull request #40508: [MINOR][SQL][CONNECT][PYTHON] Clarify the comment of parameterized SQL args

2023-03-21 Thread via GitHub



grundprinzip commented on code in PR #40508:
URL: https://github.com/apache/spark/pull/40508#discussion_r1143612707


##
connector/connect/client/jvm/src/main/scala/org/apache/spark/sql/SparkSession.scala:
##
@@ -213,7 +213,9 @@ class SparkSession private[sql] (
* @param sqlText
*   A SQL statement with named parameters to execute.
* @param args
-   *   A map of parameter names to literal values.
+   *   A map of parameter names to string values that are parsed as SQL 
literal expressions.

Review Comment:
   What I say remains true, you have to have significant internal knowledge of 
how the implementation works to understand what happens. For the user of the 
API, it's not clear how the input values are (parsed|interpreted|processed).
   
   This is a security concern and should be treated as such.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org

[GitHub] [spark] grundprinzip commented on a diff in pull request #40508: [MINOR][SQL][CONNECT][PYTHON] Clarify the comment of parameterized SQL args

2023-03-21 Thread via GitHub



grundprinzip commented on code in PR #40508:
URL: https://github.com/apache/spark/pull/40508#discussion_r1143577084


##
connector/connect/client/jvm/src/main/scala/org/apache/spark/sql/SparkSession.scala:
##
@@ -213,7 +213,9 @@ class SparkSession private[sql] (
* @param sqlText
*   A SQL statement with named parameters to execute.
* @param args
-   *   A map of parameter names to literal values.
+   *   A map of parameter names to string values that are parsed as SQL 
literal expressions.

Review Comment:
   ```
   DATE'2023-03-21'
   ```
   Essentially says parse this literal as a date and the output expression will 
be a date. This means you're interpreting the input, am I mistaken?
   
   The core part is that users of the API will see that it supports parameter 
substitution and will believe it provides the same guarantees of fixed literals 
as for example prepared statements which is not the case. You're not able to 
perform full SQL injection using this API but it's enough that you can't 
blindly mix trusted and untrusted input.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org

[GitHub] [spark] grundprinzip commented on a diff in pull request #40508: [MINOR][SQL][CONNECT][PYTHON] Clarify the comment of parameterized SQL args

2023-03-21 Thread via GitHub



grundprinzip commented on code in PR #40508:
URL: https://github.com/apache/spark/pull/40508#discussion_r1143538305


##
connector/connect/client/jvm/src/main/scala/org/apache/spark/sql/SparkSession.scala:
##
@@ -213,7 +213,9 @@ class SparkSession private[sql] (
* @param sqlText
*   A SQL statement with named parameters to execute.
* @param args
-   *   A map of parameter names to literal values.
+   *   A map of parameter names to string values that are parsed as SQL 
literal expressions.

Review Comment:
   ```suggestion
  *   A map of parameter names to string values that are parsed as 
fragments of SQL text and interpreted as literal expressions. The parameter 
bindings do not provide any
  safety guarantees on how the SQL fragment is interpreted and should not 
be treated
  as fixed values like in prepared statements.
   ```
   
   I think we need to be much much clearer on what the actual behavior is.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org

[GitHub] [spark] grundprinzip commented on a diff in pull request #40508: [MINOR][SQL][CONNECT][PYTHON] Clarify the comment of parameterized SQL args

[GitHub] [spark] grundprinzip commented on a diff in pull request #40508: [MINOR][SQL][CONNECT][PYTHON] Clarify the comment of parameterized SQL args

[GitHub] [spark] grundprinzip commented on a diff in pull request #40508: [MINOR][SQL][CONNECT][PYTHON] Clarify the comment of parameterized SQL args

3 matches

Site Navigation

Mail list logo

Footer information