What is the preferred way to avoid SQL injections

2019-01-19 21:39发布

Assume a SchemaRDD rdd with a registered table customer. You want to filter out records according to a user input. One idea you might have how to do this is the following:

rdd.sqlContext.sql(s"SELECT * FROM customer WHERE name='$userInput'")

However, since the old days of PHP we know that this can lead to nasty things. Is there an equivalent of PreparedStatement? The only thing I could find that looked remotely relevant is org.apache.commons.lang.StringEscapeUtils.escapeSql.

1条回答
三岁会撩人
2楼-- · 2019-01-19 22:08

One option would be to use the thriftserver to expose jdbc, and then the usual techniques could be used (PreparedStatement etc.) to prevent sql injection.

查看更多
登录 后发表回答