Apache Spark:在 SparkSql 中，sql 是否容易受到 Sql 注入 [英] Apache Spark: In SparkSql, are sql's vulnerable to Sql Injection

问题描述

场景:

假设Hive中有一个表，它使用下面的Apache Spark中的SparkSql进行查询，其中表名作为参数传递并连接到查询.

Say there is a table in Hive, and it is queried using the below SparkSql in Apache Spark, where table name is passed as an argument and concatenated to the query.

对于非分布式系统，我对 SQL-Injection 漏洞有基本的了解，并且在 JDBC 上下文中了解 createStatement/preparedStatement 在这种情况下的用法.

In case of non-distributed system, I have basic understanding of SQL-Injection vulnerability and in the context of JDBC understand the usage of createStatement/preparedStatement in the those kind of scenario.

但是在sparksql的情况下这个场景呢，这段代码容易受到攻击吗?任何见解?

But what about this scenario in the case of sparksql, is this code vulnerable? Any insights ?

def main(args: Array[String]) {

    val sconf = new SparkConf().setAppName("TestApp")
    val sparkContext = new SparkContext(sconf)
    val hiveSqlContext = new org.apache.spark.sql.hive.HiveContext(sparkContext)

    val tableName = args(0)    // passed as an argument

    val tableData  =  hiveSqlContext.sql("select IdNUm, Name from hiveSchemaName." + tableName + " where IdNum <> '' ")
                                        .map( x => (x.getString(0), x.getString(1)) ).collectAsMap()


    ................
    ...............

}

推荐答案

您可以在 Spark 2.0 中尝试以下操作:

You can try the following in Spark 2.0:

def main(args: Array[String]) {
val conf = new SparkConf()

val sparkSession = SparkSession
  .builder()
  .appName("TestApp")
  .config(conf)
  .enableHiveSupport()
  .getOrCreate()

val tableName = args(0)    // passed as an argument

val tableData  =  sparkSession
.table(tableName)
.select($"IdNum", $"Name")
.filter($"IdNum" =!= "")
.map( x => (x.getString(0), x.getString(1)) ).collectAsMap()


................
...............

}`

这篇关于Apache Spark:在 SparkSql 中，sql 是否容易受到 Sql 注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！