[
https://issues.apache.org/jira/browse/FINERACT-1058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17148901#comment-17148901
]
Manthan Surkar commented on FINERACT-1058:
------------------------------------------
[~vorburger] In our previous implementation we did this:
the values are hardcoded(and not prepared) I am still looking into it though.
!screenshot-1.png!
Offset, order by, limit all 3 parameters come from the user, to prevent SQL
injection is it worth to check if the orderby parameter actually follows column
name regex and limit and offset have integers as value?
Even if we cannot use prepared statement this extra check, will it be of some
value? Since we are currently(probably) directly concatenating the values, I am
attempting to check if SQL injection is possible in the current system with
limit values.
Also, testing on your last point if it can be used as prepared statement.
> Add support for "limit" and "order by" query in SQLBuilder
> -----------------------------------------------------------
>
> Key: FINERACT-1058
> URL: https://issues.apache.org/jira/browse/FINERACT-1058
> Project: Apache Fineract
> Issue Type: Improvement
> Reporter: Manthan Surkar
> Assignee: Manthan Surkar
> Priority: Major
> Attachments: screenshot-1.png
>
>
> This is in continuation of the work done by [~vorburger] in
> https://github.com/apache/fineract/pull/725
> The SQL builder currently does not support limit and order by operation. We
> can either keep the operations independent of SQLbuilder (which is certainly
> not recommended imo) or add it as a part of it.
> WDYT [~vorburger] [~awasum]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
