[ https://issues.apache.org/jira/browse/SPARK-30631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dongjoon Hyun updated SPARK-30631: ---------------------------------- Affects Version/s: (was: 3.0.0) 3.1.0 > Mitigate SQL injections - can't parameterize query parameters for JDBC > connectors > --------------------------------------------------------------------------------- > > Key: SPARK-30631 > URL: https://issues.apache.org/jira/browse/SPARK-30631 > Project: Spark > Issue Type: Improvement > Components: Spark Core > Affects Versions: 3.1.0 > Reporter: Jorge > Priority: Major > Labels: jdbc, security > > One of the options to read from a JDBC connection is a query. > Sometimes, this query is parameterized (e.g. column name, values, etc). > The JDBC API does not support parameterizing SQL queries, which puts the > burden of escaping SQL on the developer. This burden is unnecessary and a > security risk. > Very often, drivers provide a specific API to securely parameterize SQL > statements. > This issue proposes allowing the developers to pass "query" and "parameters" > to the JDBC options, so that it is the driver, not the developer, that escape > parameters. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org