Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PreparedStatement-style parameters support on the REST layer #51756

Open
astefan opened this issue Jan 31, 2020 · 6 comments
Open

PreparedStatement-style parameters support on the REST layer #51756

astefan opened this issue Jan 31, 2020 · 6 comments
Labels
:Analytics/EQL EQL querying Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo)

Comments

@astefan
Copy link
Contributor

astefan commented Jan 31, 2020

Similar to https://www.elastic.co/guide/en/elasticsearch/reference/7.x/sql-rest-params.html#sql-rest-params, we should support this type of parameters in requests to the EQL endpoint to prevent any sql-injection kind of attempts.
@astefan astefan added the :Analytics/EQL EQL querying label Jan 31, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-search (:Search/EQL)

@costin
Copy link
Member

costin commented Feb 4, 2020

Note this issue is mainly about the grammar (to support the ? placeholders).

@rw-access
Copy link
Contributor

Does it make sense for to move SqlTypedParamValue to QL? Or should that be duplicated instead for EQL?

elasticsearch/x-pack/plugin/sql/src/main/java/org/elasticsearch/xpack/sql/parser/ExpressionBuilder.java

Lines 139 to 143 in aebda81

private final Map<Token, SqlTypedParamValue> params;
ExpressionBuilder(Map<Token, SqlTypedParamValue> params) {
this.params = params;
}

@costin
Copy link
Member

costin commented Feb 5, 2020

SQLTypedParam has a value and a type because it is used internally by the SQL drivers (which are typed). This is not the case here - a simple Object should do as JSON would map that to the appropriate number or string.

@rw-access rw-access mentioned this issue Feb 13, 2020
Closed
@rjernst rjernst added the Team:QL (Deprecated) Meta label for query languages team label May 4, 2020
@costin costin assigned matriv and unassigned rw-access Sep 8, 2020
@costin
Copy link
Member

costin commented Sep 8, 2020

@matriv as this is a minor issue to address and got mentioned in some few discussions, it's worth seeing whether we can address it in our next release. This is low priority however it would be useful to assess its impact by using ? char as we're reviewing the grammar.
There is an old PR for it #52301 though the code base has changed a lot since then.

@matriv matriv removed their assignment Jul 9, 2021
@wchaparro wchaparro removed the Team:QL (Deprecated) Meta label for query languages team label Jan 17, 2024
@elasticsearchmachine elasticsearchmachine added the Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) label Jan 17, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-analytical-engine (Team:Analytics)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Analytics/EQL EQL querying Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@costin @rjernst @astefan @matriv @wchaparro @elasticmachine @rw-access @elasticsearchmachine