thesmallstar commented on issue #723: FINERACT-808 FIXES: Some Action names do not filter audit trails URL: https://github.com/apache/fineract/pull/723#issuecomment-596221641 @vorburger Update(not final but helpful conclusions): For SQL injection to be possible inside a where query: (something I tested):  Here we expected the parts in city Paris with weight 17, SQL injection would end the quote and then add a semicolon(and maybe a new query ahead). We skipped the validation: city = Paris (This could have been a password?) Now, in `sqlEncodedStringWithoutValidation` we add a quote to the start and end (since we need an initial quote and an end quote. this made the search query from 17'; to (start)'17(end)';' next we replace each ' with ' ' -> '17' ';' this would escape the quote that means we could not end the initial start of the search string, the new search query would be (start)'17;' '(end)(in all cases). **Use of double quotes?** Should not be a problem, SQL injection needs to use a single quote(since we append a single quote). Well, I could not still remove **probably**, but :P probably we would not need the keywords to be compared in this special case? :P
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
