Manthan, Thanks for raising this:
On Sat, Jul 18, 2020 at 10:18 PM Manthan Surkar <[email protected]> wrote: > Hello everyone, > > I am trying to convert String concatenated SQL to prepared SQL statements > *,* > just an FYI to others, the background here is https://issues.apache.org/jira/browse/FINERACT-854. > wherein I could not figure out the correct use of *sqlSearch *argument. > > Find it here: https://demo.mifos.io/api-docs/apiLive.htm#groups_list > > *Problem: * > I tried various values for sqlSearch: > accountNo = 1010101 (error, SQL injection exception) > display_name like "%x%" (works) > display_name like "%x%" and display_name like "%x%" (error, SQL injection > exception). > > Are we trying to accept only few types of operators and only a single > condition? or this result is not as excepted and requires a fix? > I debugged this, and something like https://demo.fineract.dev/fineract-provider/api/v1/clients?paged=true&sqlSearch=c.account_no=000000003&tenantIdentifier=default works ... ... BUT - this is all wrong! :( I was quite surprised to "discover" the sqlSearch query parameter of the API, thanks to your question here. It's... bad, IMHO. https://issues.apache.org/jira/browse/FINERACT-1095 proposes to *REMOVE* sqlSearch support from the Fineract API. Does anyone have any objections? If nobody objects to the API removal, and we ideally get some +1 votes of support, then (ideally) we would need to replace 2 usages of sqlSearch in the community-app UI. Is anyone reading this motivated to help with that? M.
