Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-3613

Avoid possible SQL Injection with proper input validations

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.10.0, 4.8.2
    • Component/s: None
    • Labels:
      None

      Description

      There are possible SQL injections :

      Issue 1 :
      Overview : On line 139 of PhoenixUtil.java, the method executeStatementThrowException() invokes a SQL query built using input coming from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

      Comment : As the source SQL query can have IN clause in SQL statement, please use this link to fix http://stackoverflow.com/questions/3107044/preparedstatement-with-list-of-parameters-in-a-in-clause

      Issue 2 :
      Overview : On line 60 of EntityFactory.java, the method findMultiple() invokes a SQL query built using input coming from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

      Comment : Limit value can be misused as well.

      Tagged : Suspicious

      Overview : On line 154 of PhoenixUtil.java, the method executeStatement() invokes a SQL query built using input coming from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

      Comment : Applying schema to file?

        Attachments

        1. PHOENIX-3613.patch
          4 kB
          Rajeshbabu Chintaguntla

          Activity

            People

            • Assignee:
              rajeshbabu Rajeshbabu Chintaguntla
              Reporter:
              rajeshbabu Rajeshbabu Chintaguntla
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: