Rajeshbabu Chintaguntla created PHOENIX-3613:
------------------------------------------------
Summary: Avoid possible SQL Injection with proper input validations
Key: PHOENIX-3613
URL: https://issues.apache.org/jira/browse/PHOENIX-3613
Project: Phoenix
Issue Type: Bug
Reporter: Rajeshbabu Chintaguntla
Assignee: Rajeshbabu Chintaguntla
There are possible SQL injections :
Issue 1 :
*Overview* : On line 139 of PhoenixUtil.java, the method
executeStatementThrowException() invokes a SQL query built using input coming
from an untrusted source. This call could allow an attacker to modify the
statement's meaning or to execute arbitrary SQL commands.
*Comment* : As the source SQL query can have IN clause in SQL statement, please
use this link to fix
http://stackoverflow.com/questions/3107044/preparedstatement-with-list-of-parameters-in-a-in-clause
Issue 2 :
*Overview* : On line 60 of EntityFactory.java, the method findMultiple()
invokes a SQL query built using input coming from an untrusted source. This
call could allow an attacker to modify the statement's meaning or to execute
arbitrary SQL commands.
*Comment* : Limit value can be misused as well.
*Tagged* : Suspicious
*Overview* : On line 154 of PhoenixUtil.java, the method executeStatement()
invokes a SQL query built using input coming from an untrusted source. This
call could allow an attacker to modify the statement's meaning or to execute
arbitrary SQL commands.
*Comment* : Applying schema to file?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
