Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
3.1.0
-
None
Description
One of the options to read from a JDBC connection is a query.
Sometimes, this query is parameterized (e.g. column name, values, etc).
The JDBC API does not support parameterizing SQL queries, which puts the burden of escaping SQL on the developer. This burden is unnecessary and a security risk.
Very often, drivers provide a specific API to securely parameterize SQL statements.
This issue proposes allowing the developers to pass "query" and "parameters" to the JDBC options, so that it is the driver, not the developer, that escape parameters.