Istvan Toth created PHOENIX-6560:
------------------------------------
Summary: Rewrite dynamic SQL queries to use Preparedstatement
Key: PHOENIX-6560
URL: https://issues.apache.org/jira/browse/PHOENIX-6560
Project: Phoenix
Issue Type: Improvement
Components: core
Reporter: Istvan Toth
Most of the Phoenix code base already uses PreparedStatements, and adds all
potentially vulnerable data as parameters.
However, there are some places where we concatenate potentially problematic
strings into the query.
While most of those are constants and such, we should preferably pass all data
as parameters to be on the safe side.
(We still have to use dynamic strings for the preparedstatement strings, for
handling things as is null, empty in clauses and such)
Spotbugs marks these with SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE, so they're
easy to find.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
