[ https://issues.apache.org/jira/browse/SPARK-10857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14937732#comment-14937732 ]
Suresh Thalamati commented on SPARK-10857: ------------------------------------------ One issue I ran into with getSchema() call was even if Spark uses Java7 and above the JDBC driver versions customers using may not have support for getSchema. I tried on couple of databases I had , and got error one getSchema(). It is possible I have old drivers. postgresql-9.3-1101-jdbc4.jar /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.75.x86_64/bin/java - Exception in thread "main" java.sql.SQLFeatureNotSupportedException: Method org.postgresql.jdbc4.Jdbc4Connection.getSchema() is not yet implemented. at org.postgresql.Driver.notImplemented(Driver.java:729) at org.postgresql.jdbc4.AbstractJdbc4Connection.getSchema(AbstractJdbc4Connection.java:239) My SQL : Implementation-Version: 5.1.17-SNAPSHOT /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.75.x86_64/ Exception in thread "main" java.sql.SQLFeatureNotSupportedException: Not supported at com.mysql.jdbc.JDBC4Connection.getSchema(JDBC4Connection.java:253) ... > SQL injection bug in JdbcDialect.getTableExistsQuery() > ------------------------------------------------------ > > Key: SPARK-10857 > URL: https://issues.apache.org/jira/browse/SPARK-10857 > Project: Spark > Issue Type: Bug > Components: SQL > Affects Versions: 1.5.0 > Reporter: Rick Hillegas > Priority: Minor > > All of the implementations of this method involve constructing a query by > concatenating boilerplate text with a user-supplied name. This looks like a > SQL injection bug to me. > A better solution would be to call java.sql.DatabaseMetaData.getTables() to > implement this method, using the catalog and schema which are available from > Connection.getCatalog() and Connection.getSchema(). This would not work on > Java 6 because Connection.getSchema() was introduced in Java 7. However, the > solution would work for more modern JVMs. Limiting the vulnerability to > obsolete JVMs would at least be an improvement over the current situation. > Java 6 has been end-of-lifed and is not an appropriate platform for users who > are concerned about security. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org