This is an automated email from the ASF dual-hosted git repository. ptuomola pushed a commit to branch develop in repository https://gitbox.apache.org/repos/asf/fineract.git
commit 5919d38f69fcd9b3f4619051d2656b58de0dc2fb Author: Joseph Makara <[email protected]> AuthorDate: Sun Mar 21 13:28:07 2021 +0300 Use prepared statements instead of string concatenated SQL everywhere - WIP (FINERACT-854) --- .../service/GenericDataServiceImpl.java | 23 +++++++++++----------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataServiceImpl.java index 8c11f88..b75df1f 100644 --- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataServiceImpl.java +++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataServiceImpl.java @@ -261,9 +261,9 @@ public class GenericDataServiceImpl implements GenericDataService { final List<ResultsetColumnValueData> columnValues = new ArrayList<>(); final String sql = "select v.id, v.code_score, v.code_value from m_code m " + " join m_code_value v on v.code_id = m.id " - + " where m.code_name = '" + codeName + "' order by v.order_position, v.id"; + + " where m.code_name = ? order by v.order_position, v.id"; - final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql); + final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql, String.class, new Object[] {codeName}); rsValues.beforeFirst(); while (rsValues.next()) { @@ -281,9 +281,9 @@ public class GenericDataServiceImpl implements GenericDataService { final List<ResultsetColumnValueData> columnValues = new ArrayList<>(); if (codeId != null) { - final String sql = "select v.id, v.code_value from m_code_value v where v.code_id =" + codeId + final String sql = "select v.id, v.code_value from m_code_value v where v.code_id =?" + " order by v.order_position, v.id"; - final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql); + final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql, Integer.class, new Object[] {codeId}); rsValues.beforeFirst(); while (rsValues.next()) { final Integer id = rsValues.getInt("id"); @@ -298,10 +298,10 @@ public class GenericDataServiceImpl implements GenericDataService { private SqlRowSet getDatatableMetaData(final String datatable) { final String sql = "select COLUMN_NAME, IS_NULLABLE, DATA_TYPE, CHARACTER_MAXIMUM_LENGTH, COLUMN_KEY" - + " from INFORMATION_SCHEMA.COLUMNS " + " where TABLE_SCHEMA = schema() and TABLE_NAME = '" + datatable - + "'order by ORDINAL_POSITION"; + + " from INFORMATION_SCHEMA.COLUMNS " + " where TABLE_SCHEMA = schema() and TABLE_NAME = ?" + + " order by ORDINAL_POSITION"; - final SqlRowSet columnDefinitions = this.jdbcTemplate.queryForRowSet(sql); + final SqlRowSet columnDefinitions = this.jdbcTemplate.queryForRowSet(sql, String.class, new Object[] {datatable}); if (columnDefinitions.next()) { return columnDefinitions; } @@ -309,11 +309,10 @@ public class GenericDataServiceImpl implements GenericDataService { throw new DatatableNotFoundException(datatable); } - private SqlRowSet getDatatableCodeData(final String datatable, final String columnName) { - - final String sql = "select mc.id,mc.code_name from m_code mc join x_table_column_code_mappings xcc on xcc.code_id = mc.id where xcc.column_alias_name='" - + datatable.toLowerCase().replaceAll("\\s", "_") + "_" + columnName + "'"; - final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql); + private SqlRowSet getDatatableCodeData(final String aDatatable, final String aColumnName) { + String datatableColumnName = aDatatable.toLowerCase().replaceAll("\\s", "_") + "_" + aColumnName; + final String sql = "select mc.id,mc.code_name from m_code mc join x_table_column_code_mappings xcc on xcc.code_id = mc.id where xcc.column_alias_name=?"; + final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql, String.class, new Object[] {datatableColumnName}); return rsValues; }
