Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-6560

Rewrite dynamic SQL queries to use Preparedstatement

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 5.2.0
    • core
    • None

    Description

      Most of the Phoenix code base already uses PreparedStatements, and adds all potentially vulnerable data as parameters.

      However, there are some places where we concatenate potentially problematic strings into the query.

      While most of those are constants and such, we should preferably pass all data as parameters to be on the safe side.

      (We still have to use dynamic strings for the preparedstatement strings, for handling things as is null, empty in clauses and such)

      Spotbugs marks these with SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE, so they're easy to find.

      Attachments

        Issue Links

          split from

          Task - A task that needs to be done. PHOENIX-6557 Fix code problems flagged by SpotBugs as High priority

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #1421

          Web Link GitHub Pull Request #1429

          Web Link GitHub Pull Request #1586

          Activity

            People

              kabhishek4 Abhishek Kothalikar
              stoty Istvan Toth
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: