Jorge created SPARK-30631:
-----------------------------
Summary: Mitigate SQL injections - can't parameterize query
parameters for JDBC connectors
Key: SPARK-30631
URL: https://issues.apache.org/jira/browse/SPARK-30631
Project: Spark
Issue Type: Improvement
Components: Spark Core
Affects Versions: 2.4.4
Reporter: Jorge
One of the options to read from a JDBC connection is a query.
Sometimes, this query is parameterized (e.g. column name, values, etc).
The JDBC API does not support parameterizing SQL queries, which puts the burden
of escaping SQL on the developer. This burden is unnecessary and a security
risk.
Very often, drivers provide a specific API to securely parameterize SQL
statements.
This issue proposes allowing the developers to pass "query" and "parameters" to
the JDBC options, so that it is the driver, not the developer, that escape
parameters.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
