Assume a SchemaRDD rdd
with a registered table customer
. You want to filter out records according to a user input. One idea you might have how to do this is the following:
rdd.sqlContext.sql(s"SELECT * FROM customer WHERE name='$userInput'")
However, since the old days of PHP we know that this can lead to nasty things.
Is there an equivalent of PreparedStatement? The only thing I could find that looked remotely relevant is org.apache.commons.lang.StringEscapeUtils.escapeSql
.
Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database. This can be accomplished in a variety of programming languages including Java, . NET, PHP, and more.
SQL injection attacks can be performed in Entity SQL by supplying malicious input to values that are used in a query predicate and in parameter names. To avoid the risk of SQL injection, you should never combine user input with Entity SQL command text.
Preventing SQL Injection in Java Code The simplest solution is to use PreparedStatement instead of Statement to execute the query. Instead of concatenating username and password into the query, we provide them to query via PreparedStatement's setter methods.
One option would be to use the thriftserver to expose jdbc, and then the usual techniques could be used (PreparedStatement etc.) to prevent sql injection.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With