Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-30631

Mitigate SQL injections - can't parameterize query parameters for JDBC connectors

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.1.0
    • Fix Version/s: None
    • Component/s: Spark Core
    • Labels:

      Description

      One of the options to read from a JDBC connection is a query.

      Sometimes, this query is parameterized (e.g. column name, values, etc).

      The JDBC API does not support parameterizing SQL queries, which puts the burden of escaping SQL on the developer. This burden is unnecessary and a security risk.

      Very often, drivers provide a specific API to securely parameterize SQL statements.

      This issue proposes allowing the developers to pass "query" and "parameters" to the JDBC options, so that it is the driver, not the developer, that escape parameters.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jorgecarleitao Jorge Leitão
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: