terencemo commented on PR #5916: URL: https://github.com/apache/fineract/pull/5916#issuecomment-4624366750
> > > I like the idea, but second @meonkeys and @vidakovic regarding we should have a central place for sql validation and rules and reuse that. > > > > > > I did not say that and I'm not reviewing this PR, but FWIW it sounds like a good idea? > > @meonkeys To the idea of using prepared statements wherever possible and input value sanitization and validation: yes, I do think it’s a good direction. > > To implement it locally: not so much. I would probably wire and move this logic into the `SqlValidator`. There, I would define rules (which could be hardcoded, but probably we should have an SQL dictionary) and regular expressions or user-defined rules that could be configurable (to some extent). > > I suppose the main point here is to avoid having a local solution but a centralized one. I'm trying to validate simple numbers / dates, etc _before_ being assembled into a SQL query. As per the signature: https://github.com/apache/fineract/blob/9e37bc3b66f82322ce50ee4d4bef32694d8a19b6/fineract-core/src/main/java/org/apache/fineract/infrastructure/security/service/SqlValidator.java#L25 there are 2 forms, one taking statement as input and the other taking 2 arguments with statement as second argument. In may approach, the validation happens at the gate before the SQL is assembled / constructed. If there's already a interface/class for parameter validation e.g NumericParameterValidator or DateParameterValidator then it could be used. But I don't think SqlValidator is simply built for a different purpose and not suited for what I'm doing. Correct me if wrong. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
