[jira] [Commented] (SPARK-43205) Add an IDENTIFIER(stringLiteral) clause that maps a string to an identifier
[ https://issues.apache.org/jira/browse/SPARK-43205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17756647#comment-17756647 ] Snoot.io commented on SPARK-43205: -- User 'srielau' has created a pull request for this issue: https://github.com/apache/spark/pull/41335 > Add an IDENTIFIER(stringLiteral) clause that maps a string to an identifier > --- > > Key: SPARK-43205 > URL: https://issues.apache.org/jira/browse/SPARK-43205 > Project: Spark > Issue Type: New Feature > Components: SQL >Affects Versions: 3.5.0 >Reporter: Serge Rielau >Assignee: Serge Rielau >Priority: Major > Fix For: 3.5.0 > > > There is a requirement for SQL templates, where the table and or column names > are provided through substitution. This can be done today using variable > substitution: > SET hivevar:tabname = mytab; > SELECT * FROM ${ hivevar:tabname }; > A straight variable substitution is dangerous since it does allow for SQL > injection: > SET hivevar:tabname = mytab, someothertab; > SELECT * FROM ${ hivevar:tabname }; > A way to get around this problem is to wrap the variable substitution with a > clause that limits the scope t produce an identifier. > This approach is taken by Snowflake: > > [https://docs.snowflake.com/en/sql-reference/session-variables#using-variables-in-sql] > SET hivevar:tabname = 'tabname'; > SELECT * FROM IDENTIFIER(${ hivevar:tabname }) -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-43205) Add an IDENTIFIER(stringLiteral) clause that maps a string to an identifier
[ https://issues.apache.org/jira/browse/SPARK-43205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17727621#comment-17727621 ] GridGain Integration commented on SPARK-43205: -- User 'srielau' has created a pull request for this issue: https://github.com/apache/spark/pull/40884 > Add an IDENTIFIER(stringLiteral) clause that maps a string to an identifier > --- > > Key: SPARK-43205 > URL: https://issues.apache.org/jira/browse/SPARK-43205 > Project: Spark > Issue Type: New Feature > Components: SQL >Affects Versions: 3.5.0 >Reporter: Serge Rielau >Assignee: Serge Rielau >Priority: Major > Fix For: 3.5.0 > > > There is a requirement for SQL templates, where the table and or column names > are provided through substitution. This can be done today using variable > substitution: > SET hivevar:tabname = mytab; > SELECT * FROM ${ hivevar:tabname }; > A straight variable substitution is dangerous since it does allow for SQL > injection: > SET hivevar:tabname = mytab, someothertab; > SELECT * FROM ${ hivevar:tabname }; > A way to get around this problem is to wrap the variable substitution with a > clause that limits the scope t produce an identifier. > This approach is taken by Snowflake: > > [https://docs.snowflake.com/en/sql-reference/session-variables#using-variables-in-sql] > SET hivevar:tabname = 'tabname'; > SELECT * FROM IDENTIFIER(${ hivevar:tabname }) -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-43205) Add an IDENTIFIER(stringLiteral) clause that maps a string to an identifier
[ https://issues.apache.org/jira/browse/SPARK-43205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17722894#comment-17722894 ] Hudson commented on SPARK-43205: User 'srielau' has created a pull request for this issue: https://github.com/apache/spark/pull/41007 > Add an IDENTIFIER(stringLiteral) clause that maps a string to an identifier > --- > > Key: SPARK-43205 > URL: https://issues.apache.org/jira/browse/SPARK-43205 > Project: Spark > Issue Type: New Feature > Components: Spark Core >Affects Versions: 3.5.0 >Reporter: Serge Rielau >Priority: Major > > There is a requirement for SQL templates, where the table and or column names > are provided through substitution. This can be done today using variable > substitution: > SET hivevar:tabname = mytab; > SELECT * FROM ${ hivevar:tabname }; > A straight variable substitution is dangerous since it does allow for SQL > injection: > SET hivevar:tabname = mytab, someothertab; > SELECT * FROM ${ hivevar:tabname }; > A way to get around this problem is to wrap the variable substitution with a > clause that limits the scope t produce an identifier. > This approach is taken by Snowflake: > > [https://docs.snowflake.com/en/sql-reference/session-variables#using-variables-in-sql] > SET hivevar:tabname = 'tabname'; > SELECT * FROM IDENTIFIER(${ hivevar:tabname }) -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org