[
https://issues.apache.org/jira/browse/PHOENIX-6560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711327#comment-17711327
]
ASF GitHub Bot commented on PHOENIX-6560:
-----------------------------------------
stoty commented on code in PR #1586:
URL: https://github.com/apache/phoenix/pull/1586#discussion_r1163998991
##########
phoenix-core/src/main/java/org/apache/phoenix/mapreduce/OrphanViewTool.java:
##########
@@ -500,18 +522,44 @@ else if (!clean){
}
}
}
+
+
private void forcefullyDropView(PhoenixConnection phoenixConnection,
Key key) throws Exception {
- String deleteRowsFromCatalog = "DELETE FROM " + SYSTEM_CATALOG_NAME +
- " WHERE " + TENANT_ID + (key.getTenantId() == null ? " IS
NULL" : " = '" + key.getTenantId() + "'") + " AND " +
- TABLE_SCHEM + (key.getSchemaName() == null ? " IS NULL " : " =
'" + key.getSchemaName() + "'") + " AND " +
- TABLE_NAME + " = '" + key.getTableName() + "'";
- String deleteRowsFromChildLink = "DELETE FROM " +
SYSTEM_CHILD_LINK_NAME +
- " WHERE " + COLUMN_NAME + (key.getTenantId() == null ? " IS
NULL" : " = '" + key.getTenantId() + "'") + " AND " +
- COLUMN_FAMILY + " = '" + (key.getSchemaName() == null ?
key.getTableName() : key.getSchemaName() + "." + key.getTableName()) + "'";
+ String deleteRowsFromCatalog = String.format("DELETE FROM " +
SYSTEM_CATALOG_NAME
+ + " WHERE " + TENANT_ID + " %s AND " + TABLE_SCHEM + " %s
AND "
+ + TABLE_NAME + " = ? ",
+ key.getTenantId() == null ? " IS NULL" : " = ? ",
+ key.getSchemaName() == null ? " IS NULL " : " = ? ");
+ String deleteRowsFromChildLink = String.format("DELETE FROM " +
SYSTEM_CHILD_LINK_NAME
+ + " WHERE " + COLUMN_NAME + " %s AND " + COLUMN_FAMILY + " =
? ",
+ key.getTenantId() == null ? " IS NULL" : " = ? ");
try {
- phoenixConnection.createStatement().execute(deleteRowsFromCatalog);
-
phoenixConnection.createStatement().execute(deleteRowsFromChildLink);
+ try (PreparedStatement delSysCat =
+ phoenixConnection.prepareStatement(deleteRowsFromCatalog)) {
+ int param = 0;
+ if (key.getTenantId() != null) {
+ delSysCat.setString(++param, key.getTenantId());
+ }
+ if (key.getSchemaName() != null) {
+ delSysCat.setString(++param, key.getSchemaName());
+ }
+ delSysCat.setString(++param, key.getTableName());
+ delSysCat.execute();
+ }
+ try (PreparedStatement delChLink =
+ phoenixConnection.prepareStatement(deleteRowsFromChildLink)) {
+ int param = 0;
+ if (key.getTenantId() != null) {
Review Comment:
My bad, it's OK.
> Rewrite dynamic SQL queries to use Preparedstatement
> ----------------------------------------------------
>
> Key: PHOENIX-6560
> URL: https://issues.apache.org/jira/browse/PHOENIX-6560
> Project: Phoenix
> Issue Type: Improvement
> Components: core
> Reporter: Istvan Toth
> Assignee: Abhishek Kothalikar
> Priority: Major
>
> Most of the Phoenix code base already uses PreparedStatements, and adds all
> potentially vulnerable data as parameters.
> However, there are some places where we concatenate potentially problematic
> strings into the query.
> While most of those are constants and such, we should preferably pass all
> data as parameters to be on the safe side.
> (We still have to use dynamic strings for the preparedstatement strings, for
> handling things as is null, empty in clauses and such)
> Spotbugs marks these with SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE, so
> they're easy to find.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
