mirror of
https://github.com/apache/zeppelin
synced 2026-05-24 09:38:26 +00:00
Prevent SQL injection for GetUserList.getUserList.
This commit is contained in:
parent
985b86e4d2
commit
d1a7ff9be8
1 changed files with 3 additions and 1 deletions
|
|
@ -231,7 +231,7 @@ public class GetUserList {
|
|||
return userlist;
|
||||
}
|
||||
|
||||
userquery = "select " + username + " from " + tablename;
|
||||
userquery = "select ? from ?";
|
||||
|
||||
} catch (IllegalAccessException e) {
|
||||
LOG.error("Error while accessing dataSource for JDBC Realm", e);
|
||||
|
|
@ -241,6 +241,8 @@ public class GetUserList {
|
|||
try {
|
||||
Connection con = dataSource.getConnection();
|
||||
ps = con.prepareStatement(userquery);
|
||||
ps.setString(1, username);
|
||||
ps.setString(2, tablename);
|
||||
rs = ps.executeQuery();
|
||||
while (rs.next()) {
|
||||
userlist.add(rs.getString(1).trim());
|
||||
|
|
|
|||
Loading…
Reference in a new issue