drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Khurram Faraaz (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DRILL-6215) Use prepared statement instead of Statement in JdbcRecordReader class
Date Tue, 06 Mar 2018 23:53:00 GMT
Khurram Faraaz created DRILL-6215:
-------------------------------------

             Summary: Use prepared statement instead of Statement in JdbcRecordReader class
                 Key: DRILL-6215
                 URL: https://issues.apache.org/jira/browse/DRILL-6215
             Project: Apache Drill
          Issue Type: Bug
          Components: Storage - JDBC
    Affects Versions: 1.12.0
            Reporter: Khurram Faraaz


Use prepared statement instead of Statement in JdbcRecordReader class, which is more efficient
and less vulnerable to SQL injection attacks.

Apache Drill 1.13.0-SNAPSHOT, commit : 9073aed67d89e8b2188870d6c812706085c9c41b

Findbugs reports the below bug and suggests that we use prepared statement instead of Statement.

{noformat}
In class org.apache.drill.exec.store.jdbc.JdbcRecordReader
In method org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, OutputMutator)
At JdbcRecordReader.java:[line 170]
org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, OutputMutator) passes
a nonconstant String to an execute method on an SQL statement

The method invokes the execute method on an SQL statement with a String that seems to be dynamically
generated. 
Consider using a prepared statement instead. 
It is more efficient and less vulnerable to SQL injection attacks.

{noformat}

LOC - https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170

{noformat}
To run with findbugs:
mvn clean install -Pfindbugs -DskipTests

Findbugs will wirite the output to finbugsXml.html in the target directory of each module.

For example the java-exec module report is located at: ./exec/java-exec/target/findbugs/findbugsXml.html
Use 
find . -name "findbugsXml.html"
to locate the files.
{noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message