You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@fineract.apache.org by "Michael Vorburger (Jira)" <ji...@apache.org> on 2020/08/24 08:01:00 UTC

[jira] [Commented] (FINERACT-757) Client list retrieval returns emtpy result when using search parameter

    [ https://issues.apache.org/jira/browse/FINERACT-757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17183032#comment-17183032 ] 

Michael Vorburger commented on FINERACT-757:
--------------------------------------------

I've stumbled upon this issue today while clarifying FINERACT-877, and thought that it was worth noting that as far as I can tell from Git, this one hasn't actually made it into 1.4.0, so the Fix Version (and Release Notes) for this are, probably wrong? As far as I can tell, this is only in 1.3.1 but not on the develop (and thus, now, new, 1.4.0 branch)... 

If this is important to the Reporter or Assignee, it should perhaps be re-opened to be clarified and potentially re-applied to 1.4.0? But note FINERACT-1095...

[~aleks] and [~awasum] just FYI.

> Client list retrieval returns emtpy result when using search parameter
> ----------------------------------------------------------------------
>
>                 Key: FINERACT-757
>                 URL: https://issues.apache.org/jira/browse/FINERACT-757
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Client
>            Reporter: Angel Cajas
>            Assignee: Santosh Math
>            Priority: Critical
>             Fix For: 1.4.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Client list retrieval while using search parameters returns an empty result.
> While testing /clients endpoint to search clients using search parameters such as firstName, secondName or externalId the search gave no results.
> Apparently in the past queries that required given paramaters were built concatenating strings and sqlInjection validation was needed and the function sqlEncodeString in the class ApiParametersHelper was used for this reason.
> The function validated if parameters contained sqlInjection but also appended quotation marks to the the given parameter, however parameters are being passed as an object array instead of being appended to the query string so this validation isn't needed anymore as it's done by the sqlTemplate class used to run the query.
> For example: Calling the sqlEncodeString modified the searchParam "Joe" to "'Joe'" adding quotation marks and since there are no clients with quotation marks in their name no clients were found and the result was empty.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)