在 Spark-SQL(在 Hive 上)中避免 SQL 注入的首选方法是什么 [英] What is the preferred way to avoid SQL injections in Spark-SQL (on Hive)

问题描述

假设 SchemaRDD rdd 带有注册表 customer.您想根据用户输入过滤掉记录.您可能对如何执行此操作有以下想法:

Assume a SchemaRDD rdd with a registered table customer. You want to filter out records according to a user input. One idea you might have how to do this is the following:

rdd.sqlContext.sql(s"SELECT * FROM customer WHERE name='$userInput'")

但是，从 PHP 的旧时代起，我们就知道这可能会导致令人讨厌的事情.是否有相当于 PreparedStatement 的东西?我能找到的唯一看起来与远程相关的是 org.apache.commons.lang.StringEscapeUtils.escapeSql.

However, since the old days of PHP we know that this can lead to nasty things. Is there an equivalent of PreparedStatement? The only thing I could find that looked remotely relevant is org.apache.commons.lang.StringEscapeUtils.escapeSql.

推荐答案

一种选择是使用 thriftserver 暴露 jdbc，然后可以使用常用的技术(PreparedStatement 等)来防止 sql 注入.

One option would be to use the thriftserver to expose jdbc, and then the usual techniques could be used (PreparedStatement etc.) to prevent sql injection.

这篇关于在 Spark-SQL(在 Hive 上)中避免 SQL 注入的首选方法是什么的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！