[SPARK-43205] Add an IDENTIFIER(stringLiteral) clause that maps a string to an identifier - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.5.0
Fix Version/s: 3.5.0
Component/s: SQL
Labels:
None

Description

There is a requirement for SQL templates, where the table and or column names are provided through substitution. This can be done today using variable substitution:
SET hivevar:tabname = mytab;
SELECT * FROM ${ hivevar:tabname };

A straight variable substitution is dangerous since it does allow for SQL injection:
SET hivevar:tabname = mytab, someothertab;
SELECT * FROM ${ hivevar:tabname };

A way to get around this problem is to wrap the variable substitution with a clause that limits the scope t produce an identifier.
This approach is taken by Snowflake:
https://docs.snowflake.com/en/sql-reference/session-variables#using-variables-in-sql

SET hivevar:tabname = 'tabname';
SELECT * FROM IDENTIFIER(${ hivevar:tabname })

Attachments

Issue Links

links to

[Github] Pull Request #40884 (srielau)

[Github] Pull Request #41007 (srielau)

[Github] Pull Request #41335 (srielau)

Activity

People

Assignee:: Serge Rielau

Reporter:: Serge Rielau

Shepherd:: Wenchen Fan

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 19/Apr/23 22:36

Updated:: 21/Aug/23 03:38

Resolved:: 26/May/23 22:05