Hey Michael, I agree to remove this parameter, we may want to add a few additional specific parameters to filter out results upon request from users.
I may be interested in working with the community-app but I am wondering how we will replace them (I was thinking if we can remove them altogether, if possible). Best, Chirag Gupta On Thu, Jul 23, 2020 at 5:27 AM Michael Vorburger <[email protected]> wrote: > Manthan, > > Thanks for raising this: > > On Sat, Jul 18, 2020 at 10:18 PM Manthan Surkar <[email protected]> > wrote: > >> Hello everyone, >> >> I am trying to convert String concatenated SQL to prepared SQL statements >> *,* >> > > just an FYI to others, the background here is > https://issues.apache.org/jira/browse/FINERACT-854. > > >> wherein I could not figure out the correct use of *sqlSearch *argument. >> >> Find it here: https://demo.mifos.io/api-docs/apiLive.htm#groups_list >> >> *Problem: * >> I tried various values for sqlSearch: >> accountNo = 1010101 (error, SQL injection exception) >> display_name like "%x%" (works) >> display_name like "%x%" and display_name like "%x%" (error, SQL >> injection exception). >> >> Are we trying to accept only few types of operators and only a single >> condition? or this result is not as excepted and requires a fix? >> > > I debugged this, and something like > https://demo.fineract.dev/fineract-provider/api/v1/clients?paged=true&sqlSearch=c.account_no=000000003&tenantIdentifier=default > works ... > > ... BUT - this is all wrong! :( I was quite surprised to "discover" the > sqlSearch query parameter of the API, thanks to your question here. It's... > bad, IMHO. > > https://issues.apache.org/jira/browse/FINERACT-1095 proposes to *REMOVE* > sqlSearch support from the Fineract API. Does anyone have any objections? > > If nobody objects to the API removal, and we ideally get some +1 votes of > support, then (ideally) we would need to replace 2 usages of sqlSearch in > the community-app UI. Is anyone reading this motivated to help with that? > > M. >
