[ https://issues.apache.org/jira/browse/DRILL-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vitalii Diravka reassigned DRILL-6215: -------------------------------------- Assignee: Khurram Faraaz > Use prepared statement instead of Statement in JdbcRecordReader class > --------------------------------------------------------------------- > > Key: DRILL-6215 > URL: https://issues.apache.org/jira/browse/DRILL-6215 > Project: Apache Drill > Issue Type: Bug > Components: Storage - JDBC > Affects Versions: 1.12.0 > Reporter: Khurram Faraaz > Assignee: Khurram Faraaz > Priority: Major > Fix For: Future > > > Use prepared statement instead of Statement in JdbcRecordReader class, which > is more efficient and less vulnerable to SQL injection attacks. > Apache Drill 1.13.0-SNAPSHOT, commit : > 9073aed67d89e8b2188870d6c812706085c9c41b > Findbugs reports the below bug and suggests that we use prepared statement > instead of Statement. > {noformat} > In class org.apache.drill.exec.store.jdbc.JdbcRecordReader > In method > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) > At JdbcRecordReader.java:[line 170] > org.apache.drill.exec.store.jdbc.JdbcRecordReader.setup(OperatorContext, > OutputMutator) passes a nonconstant String to an execute method on an SQL > statement > The method invokes the execute method on an SQL statement with a String that > seems to be dynamically generated. > Consider using a prepared statement instead. > It is more efficient and less vulnerable to SQL injection attacks. > {noformat} > LOC - > https://github.com/apache/drill/blob/a9ea4ec1c5645ddab4b7aef9ac060ff5f109b696/contrib/storage-jdbc/src/main/java/org/apache/drill/exec/store/jdbc/JdbcRecordReader.java#L170 > {noformat} > To run with findbugs: > mvn clean install -Pfindbugs -DskipTests > Findbugs will wirite the output to finbugsXml.html in the target directory of > each module. > For example the java-exec module report is located at: > ./exec/java-exec/target/findbugs/findbugsXml.html > Use > find . -name "findbugsXml.html" > to locate the files. > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)