[jira] [Commented] (FINERACT-757) Client list retrieval returns emtpy result when using search parameter

Mon, 24 Aug 2020 08:32:42 -0700 


    [ 
https://issues.apache.org/jira/browse/FINERACT-757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17183384#comment-17183384
 ] 

Angel Cajas commented on FINERACT-757:
--------------------------------------

Hi [~vorburger] and [~awasum] . I checked the 1.4.0 versions and this pull 
request is already merged in there, so there is no need to reopen this issue. 
As far as I can see there are no conflicts with issue FINERACT-1095 as it is 
planned to remove the sqlSearch parameter and this commit didn't modified that 
one.

> Client list retrieval returns emtpy result when using search parameter
> ----------------------------------------------------------------------
>
>                 Key: FINERACT-757
>                 URL: https://issues.apache.org/jira/browse/FINERACT-757
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Client
>            Reporter: Angel Cajas
>            Assignee: Santosh Math
>            Priority: Critical
>             Fix For: 1.4.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Client list retrieval while using search parameters returns an empty result.
> While testing /clients endpoint to search clients using search parameters 
> such as firstName, secondName or externalId the search gave no results.
> Apparently in the past queries that required given paramaters were built 
> concatenating strings and sqlInjection validation was needed and the function 
> sqlEncodeString in the class ApiParametersHelper was used for this reason.
> The function validated if parameters contained sqlInjection but also appended 
> quotation marks to the the given parameter, however parameters are being 
> passed as an object array instead of being appended to the query string so 
> this validation isn't needed anymore as it's done by the sqlTemplate class 
> used to run the query.
> For example: Calling the sqlEncodeString modified the searchParam "Joe" to 
> "'Joe'" adding quotation marks and since there are no clients with quotation 
> marks in their name no clients were found and the result was empty.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to