[
https://issues.apache.org/jira/browse/HIVE-20551?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Laszlo Pinter reassigned HIVE-20551:
------------------------------------
> Create PreparedStatement query dynamically when IN clause is used
> -----------------------------------------------------------------
>
> Key: HIVE-20551
> URL: https://issues.apache.org/jira/browse/HIVE-20551
> Project: Hive
> Issue Type: Bug
> Reporter: Laszlo Pinter
> Assignee: Laszlo Pinter
> Priority: Major
>
> In the MetaStoreDirectSql class when IN clause is used, the query statement
> is created via string concatenation, meaning that an attacker could change
> the statement meaning or insert arbitrary SQL commands.
> Since JDBC API allows only one literal for one “?” parameter,
> PreparedStatement doesn’t work for IN clause queries. To create the
> PreparedStatement query dynamically based on the size of the elements in IN
> clause, the makeParams() should be used instead of concatenation.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
