[
https://issues.apache.org/jira/browse/SPARK-10857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14967827#comment-14967827
]
Reynold Xin edited comment on SPARK-10857 at 10/21/15 8:31 PM:
---------------------------------------------------------------
We want to support a query (not just a table name). Would this rule that out?
was (Author: rxin):
We want to support a query within that. Would this rule that out?
> SQL injection bug in JdbcDialect.getTableExistsQuery()
> ------------------------------------------------------
>
> Key: SPARK-10857
> URL: https://issues.apache.org/jira/browse/SPARK-10857
> Project: Spark
> Issue Type: Bug
> Components: SQL
> Affects Versions: 1.5.0
> Reporter: Rick Hillegas
> Priority: Minor
>
> All of the implementations of this method involve constructing a query by
> concatenating boilerplate text with a user-supplied name. This looks like a
> SQL injection bug to me.
> A better solution would be to call java.sql.DatabaseMetaData.getTables() to
> implement this method, using the catalog and schema which are available from
> Connection.getCatalog() and Connection.getSchema(). This would not work on
> Java 6 because Connection.getSchema() was introduced in Java 7. However, the
> solution would work for more modern JVMs. Limiting the vulnerability to
> obsolete JVMs would at least be an improvement over the current situation.
> Java 6 has been end-of-lifed and is not an appropriate platform for users who
> are concerned about security.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
