[ https://issues.apache.org/jira/browse/FINERACT-682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16738483#comment-16738483 ]
Vishwas Babu A J commented on FINERACT-682: ------------------------------------------- Thanks for explaining the issue Shruthi. If I understand correctly, you are planning to rename existing report parameters as they now do not pass SQLInjectorValidation. There might be side effects of doing the same -> A user interface which has hardcoded existing parameter names for embedding context specific reports etc would break. -> Another possible issue would be that users might have already introduced other similarly named reporting parameters in their installations and they would still continue to break. Can you confirm that these is a need to validate parameter names for containing DML and DDL substrings ? I ask since these parameter names are replaced with their corresponding queries by fineract while executing them against the database, so validating them against an alphanumeric regex should be sufficient. If you can confirm that this is right, then the more appropriate fix would be to update the validation itself > Renaming stretchy_report parameters conflicting with sql injection > ------------------------------------------------------------------ > > Key: FINERACT-682 > URL: https://issues.apache.org/jira/browse/FINERACT-682 > Project: Apache Fineract > Issue Type: Improvement > Reporter: Shruthi M R > Assignee: Shruthi M R > Priority: Major > Fix For: 1.3.0 > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)