fineract-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <>
Subject [GitHub] [fineract] vorburger commented on a change in pull request #1123: FINERACT-854 Removed string concatenated SQL from CenterReadPlatform
Date Wed, 22 Jul 2020 21:47:54 GMT

vorburger commented on a change in pull request #1123:

File path: fineract-provider/src/main/java/org/apache/fineract/portfolio/group/service/
@@ -122,55 +122,26 @@ public CenterReadPlatformServiceImpl(final PlatformSecurityContext context,
     // 'g.' preffix because of ERROR 1052 (23000): Column 'column_name' in where
     // clause is ambiguous
     // caused by the same name of columns in m_office and m_group tables
-    private String getCenterExtraCriteria(String schemaSl, List<Object> paramList,
final SearchParameters searchCriteria) {
+    private SQLBuilder getCenterExtraCriteria(String schemaSl, final SearchParameters searchCriteria)
-        StringBuilder extraCriteria = new StringBuilder(200);
-        extraCriteria.append(" and g.level_id = " + GroupTypes.CENTER.getId());
+        SQLBuilder extraCriteria = new SQLBuilder();
+        extraCriteria.addCriteria("g.level_id =", GroupTypes.CENTER.getId());
         if (searchCriteria != null) {
             String sqlQueryCriteria = searchCriteria.getSqlSearch();
             if (StringUtils.isNotBlank(sqlQueryCriteria)) {
                 sqlQueryCriteria = sqlQueryCriteria.replace(" display_name ", " g.display_name
                 sqlQueryCriteria = sqlQueryCriteria.replace("display_name ", "g.display_name
-                extraCriteria.append(" and (").append(sqlQueryCriteria).append(") ");
-                this.columnValidator.validateSqlInjection(schemaSl, sqlQueryCriteria);

Review comment:
       @thesmallstar sorry for the huge delay in getting back to you on this one. I've re-read
it again now (took me a minute to get back into it). Are you suggesting that we merge this
now? Because, unless I misunderstand, this would break the currently existing functionality
for these sqlQueryCriteria, agreed? But they really are a problem, huh? I need to dig more
into the code to understand where this is coming from..

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:

View raw message