You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@fineract.apache.org by pt...@apache.org on 2021/04/12 22:11:04 UTC

[fineract] 02/11: Use prepared statements instead of string concatenated SQL everywhere - WIP (FINERACT-854)

This is an automated email from the ASF dual-hosted git repository.

ptuomola pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/fineract.git

commit 5919d38f69fcd9b3f4619051d2656b58de0dc2fb
Author: Joseph Makara <jo...@strathmore.edu>
AuthorDate: Sun Mar 21 13:28:07 2021 +0300

    Use prepared statements instead of string concatenated SQL everywhere - WIP (FINERACT-854)
---
 .../service/GenericDataServiceImpl.java            | 23 +++++++++++-----------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataServiceImpl.java
index 8c11f88..b75df1f 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataServiceImpl.java
@@ -261,9 +261,9 @@ public class GenericDataServiceImpl implements GenericDataService {
         final List<ResultsetColumnValueData> columnValues = new ArrayList<>();
 
         final String sql = "select v.id, v.code_score, v.code_value from m_code m " + " join m_code_value v on v.code_id = m.id "
-                + " where m.code_name = '" + codeName + "' order by v.order_position, v.id";
+                + " where m.code_name = ? order by v.order_position, v.id";
 
-        final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql);
+        final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql, String.class, new Object[] {codeName});
 
         rsValues.beforeFirst();
         while (rsValues.next()) {
@@ -281,9 +281,9 @@ public class GenericDataServiceImpl implements GenericDataService {
 
         final List<ResultsetColumnValueData> columnValues = new ArrayList<>();
         if (codeId != null) {
-            final String sql = "select v.id, v.code_value from m_code_value v where v.code_id =" + codeId
+            final String sql = "select v.id, v.code_value from m_code_value v where v.code_id =?"
                     + " order by v.order_position, v.id";
-            final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql);
+            final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql, Integer.class, new Object[] {codeId});
             rsValues.beforeFirst();
             while (rsValues.next()) {
                 final Integer id = rsValues.getInt("id");
@@ -298,10 +298,10 @@ public class GenericDataServiceImpl implements GenericDataService {
     private SqlRowSet getDatatableMetaData(final String datatable) {
 
         final String sql = "select COLUMN_NAME, IS_NULLABLE, DATA_TYPE, CHARACTER_MAXIMUM_LENGTH, COLUMN_KEY"
-                + " from INFORMATION_SCHEMA.COLUMNS " + " where TABLE_SCHEMA = schema() and TABLE_NAME = '" + datatable
-                + "'order by ORDINAL_POSITION";
+                + " from INFORMATION_SCHEMA.COLUMNS " + " where TABLE_SCHEMA = schema() and TABLE_NAME = ?"
+                + " order by ORDINAL_POSITION";
 
-        final SqlRowSet columnDefinitions = this.jdbcTemplate.queryForRowSet(sql);
+        final SqlRowSet columnDefinitions = this.jdbcTemplate.queryForRowSet(sql, String.class, new Object[] {datatable});
         if (columnDefinitions.next()) {
             return columnDefinitions;
         }
@@ -309,11 +309,10 @@ public class GenericDataServiceImpl implements GenericDataService {
         throw new DatatableNotFoundException(datatable);
     }
 
-    private SqlRowSet getDatatableCodeData(final String datatable, final String columnName) {
-
-        final String sql = "select mc.id,mc.code_name from m_code mc join x_table_column_code_mappings xcc on xcc.code_id = mc.id where xcc.column_alias_name='"
-                + datatable.toLowerCase().replaceAll("\\s", "_") + "_" + columnName + "'";
-        final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql);
+    private SqlRowSet getDatatableCodeData(final String aDatatable, final String aColumnName) {
+        String datatableColumnName = aDatatable.toLowerCase().replaceAll("\\s", "_") + "_" + aColumnName;
+        final String sql = "select mc.id,mc.code_name from m_code mc join x_table_column_code_mappings xcc on xcc.code_id = mc.id where xcc.column_alias_name=?";
+        final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql, String.class, new Object[] {datatableColumnName});
 
         return rsValues;
     }