[ https://issues.apache.org/jira/browse/SPARK-43205?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dongjoon Hyun updated SPARK-43205: ---------------------------------- Component/s: Documentation (was: Spark Core) > Add an IDENTIFIER(stringLiteral) clause that maps a string to an identifier > --------------------------------------------------------------------------- > > Key: SPARK-43205 > URL: https://issues.apache.org/jira/browse/SPARK-43205 > Project: Spark > Issue Type: Documentation > Components: Documentation > Affects Versions: 3.5.0 > Reporter: Serge Rielau > Assignee: Serge Rielau > Priority: Minor > Fix For: 3.5.0 > > > There is a requirement for SQL templates, where the table and or column names > are provided through substitution. This can be done today using variable > substitution: > SET hivevar:tabname = mytab; > SELECT * FROM ${ hivevar:tabname }; > A straight variable substitution is dangerous since it does allow for SQL > injection: > SET hivevar:tabname = mytab, someothertab; > SELECT * FROM ${ hivevar:tabname }; > A way to get around this problem is to wrap the variable substitution with a > clause that limits the scope t produce an identifier. > This approach is taken by Snowflake: > > [https://docs.snowflake.com/en/sql-reference/session-variables#using-variables-in-sql] > SET hivevar:tabname = 'tabname'; > SELECT * FROM IDENTIFIER(${ hivevar:tabname }) -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org