[SPARK-30631] Mitigate SQL injections - can't parameterize query parameters for JDBC connectors - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.1.0
Fix Version/s: None
Component/s: Spark Core
Labels:
- jdbc
- security

Description

One of the options to read from a JDBC connection is a query.

Sometimes, this query is parameterized (e.g. column name, values, etc).

The JDBC API does not support parameterizing SQL queries, which puts the burden of escaping SQL on the developer. This burden is unnecessary and a security risk.

Very often, drivers provide a specific API to securely parameterize SQL statements.

This issue proposes allowing the developers to pass "query" and "parameters" to the JDBC options, so that it is the driver, not the developer, that escape parameters.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Jorge Leitão

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Jan/20 06:07

Updated:: 04/Feb/20 20:06