You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@fineract.apache.org by pt...@apache.org on 2021/04/12 22:11:04 UTC
[fineract] 02/11: Use prepared statements instead of string
concatenated SQL everywhere - WIP (FINERACT-854)
This is an automated email from the ASF dual-hosted git repository.
ptuomola pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/fineract.git
commit 5919d38f69fcd9b3f4619051d2656b58de0dc2fb
Author: Joseph Makara <jo...@strathmore.edu>
AuthorDate: Sun Mar 21 13:28:07 2021 +0300
Use prepared statements instead of string concatenated SQL everywhere - WIP (FINERACT-854)
---
.../service/GenericDataServiceImpl.java | 23 +++++++++++-----------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataServiceImpl.java b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataServiceImpl.java
index 8c11f88..b75df1f 100644
--- a/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataServiceImpl.java
+++ b/fineract-provider/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataServiceImpl.java
@@ -261,9 +261,9 @@ public class GenericDataServiceImpl implements GenericDataService {
final List<ResultsetColumnValueData> columnValues = new ArrayList<>();
final String sql = "select v.id, v.code_score, v.code_value from m_code m " + " join m_code_value v on v.code_id = m.id "
- + " where m.code_name = '" + codeName + "' order by v.order_position, v.id";
+ + " where m.code_name = ? order by v.order_position, v.id";
- final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql);
+ final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql, String.class, new Object[] {codeName});
rsValues.beforeFirst();
while (rsValues.next()) {
@@ -281,9 +281,9 @@ public class GenericDataServiceImpl implements GenericDataService {
final List<ResultsetColumnValueData> columnValues = new ArrayList<>();
if (codeId != null) {
- final String sql = "select v.id, v.code_value from m_code_value v where v.code_id =" + codeId
+ final String sql = "select v.id, v.code_value from m_code_value v where v.code_id =?"
+ " order by v.order_position, v.id";
- final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql);
+ final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql, Integer.class, new Object[] {codeId});
rsValues.beforeFirst();
while (rsValues.next()) {
final Integer id = rsValues.getInt("id");
@@ -298,10 +298,10 @@ public class GenericDataServiceImpl implements GenericDataService {
private SqlRowSet getDatatableMetaData(final String datatable) {
final String sql = "select COLUMN_NAME, IS_NULLABLE, DATA_TYPE, CHARACTER_MAXIMUM_LENGTH, COLUMN_KEY"
- + " from INFORMATION_SCHEMA.COLUMNS " + " where TABLE_SCHEMA = schema() and TABLE_NAME = '" + datatable
- + "'order by ORDINAL_POSITION";
+ + " from INFORMATION_SCHEMA.COLUMNS " + " where TABLE_SCHEMA = schema() and TABLE_NAME = ?"
+ + " order by ORDINAL_POSITION";
- final SqlRowSet columnDefinitions = this.jdbcTemplate.queryForRowSet(sql);
+ final SqlRowSet columnDefinitions = this.jdbcTemplate.queryForRowSet(sql, String.class, new Object[] {datatable});
if (columnDefinitions.next()) {
return columnDefinitions;
}
@@ -309,11 +309,10 @@ public class GenericDataServiceImpl implements GenericDataService {
throw new DatatableNotFoundException(datatable);
}
- private SqlRowSet getDatatableCodeData(final String datatable, final String columnName) {
-
- final String sql = "select mc.id,mc.code_name from m_code mc join x_table_column_code_mappings xcc on xcc.code_id = mc.id where xcc.column_alias_name='"
- + datatable.toLowerCase().replaceAll("\\s", "_") + "_" + columnName + "'";
- final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql);
+ private SqlRowSet getDatatableCodeData(final String aDatatable, final String aColumnName) {
+ String datatableColumnName = aDatatable.toLowerCase().replaceAll("\\s", "_") + "_" + aColumnName;
+ final String sql = "select mc.id,mc.code_name from m_code mc join x_table_column_code_mappings xcc on xcc.code_id = mc.id where xcc.column_alias_name=?";
+ final SqlRowSet rsValues = this.jdbcTemplate.queryForRowSet(sql, String.class, new Object[] {datatableColumnName});
return rsValues;
}