[jira] [Commented] (FINERACT-854) Use prepared statements instead of string concatenated SQL everywhere

Wed, 28 Jan 2026 21:23:07 -0800 


    [ 
https://issues.apache.org/jira/browse/FINERACT-854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18055032#comment-18055032
 ] 

saifulhuq commented on FINERACT-854:
------------------------------------

I have submitted a Pull Request to resolve this issue.

*PR #5407:* [https://github.com/apache/fineract/pull/5407]

*Summary of Fix:* Replaced SQL string concatenation with a Prepared Statement 
in {{SmsReadPlatformServiceImpl.java}} to prevent SQL injection vulnerabilities.

> Use prepared statements instead of string concatenated SQL everywhere
> ---------------------------------------------------------------------
>
>                 Key: FINERACT-854
>                 URL: https://issues.apache.org/jira/browse/FINERACT-854
>             Project: Apache Fineract
>          Issue Type: Improvement
>          Components: Security
>            Reporter: Michael Vorburger
>            Assignee: Joseph Makara
>            Priority: Major
>              Labels: beginner, scalability, security, technical
>
> The Fineract code base in many places creates SQL statements through String 
> concatenation. This is prone to SQL injection. This is mitigated by the use 
> of helpers utilities such as 
> {{org.apache.fineract.infrastructure.core.api.ApiParameterHelper.sqlEncodeString(String)}}
>  and 
> {{org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator.validateSQLInput(String)}}
>  but I opine that those are workarounds... the better solution, both for 
> security and likely also helping with performance (at least a little bit, 
> knowing how much would require measuring it...), would be to use JDBC 
> prepared statements with '?' placeholders and passing all raw arguments, 
> instead of embedding them in the query String.
> FINERACT-808 root cause analysis brought this up, and I'm about to raise a PR 
> for FINERACT-808 which makes a start; the goal of this issue is to use the 
> new {{org.apache.fineract.infrastructure.security.utils.SQLBuilder}} 
> everywhere, and eventually be able to get completely rid of 
> {{ApiParameterHelper}} and {{SQLInjectionValidator}}.
> This issue should also include work to scan the code base for places where 
> SQL Strings are concatenated without even using the existing helpers. 
> FINERACT-853 could potentially help with that.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to