Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the preferred way to avoid SQL injections in Spark-SQL (on Hive)

Assume a SchemaRDD rdd with a registered table customer. You want to filter out records according to a user input. One idea you might have how to do this is the following:

rdd.sqlContext.sql(s"SELECT * FROM customer WHERE name='$userInput'")

However, since the old days of PHP we know that this can lead to nasty things. Is there an equivalent of PreparedStatement? The only thing I could find that looked remotely relevant is org.apache.commons.lang.StringEscapeUtils.escapeSql.

like image 892
DanielM Avatar asked Apr 16 '15 08:04

DanielM


People also ask

Which methods can be used to avoid SQL Injection?

Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database. This can be accomplished in a variety of programming languages including Java, . NET, PHP, and more.

What is the SQL Injection how we can prevent SQL Injection in Ado net?

SQL injection attacks can be performed in Entity SQL by supplying malicious input to values that are used in a query predicate and in parameter names. To avoid the risk of SQL injection, you should never combine user input with Entity SQL command text.

Which JDBC class can help to prevent SQL Injection attacks?

Preventing SQL Injection in Java Code The simplest solution is to use PreparedStatement instead of Statement to execute the query. Instead of concatenating username and password into the query, we provide them to query via PreparedStatement's setter methods.


1 Answers

One option would be to use the thriftserver to expose jdbc, and then the usual techniques could be used (PreparedStatement etc.) to prevent sql injection.

like image 72
dpeacock Avatar answered Oct 20 '22 00:10

dpeacock