[ https://issues.apache.org/jira/browse/FINERACT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17314447#comment-17314447 ]
Joseph Makara commented on FINERACT-1338: ----------------------------------------- On adding the above fix on my local the SQLi error (error.msg.found.sql.injection) is gone BUT now I am seeing below other error {code:java} {"developerMessage":"The requested resource is not available.","httpStatusCode":"404","defaultUserMessage":"The requested resource is not available.","userMessageGlobalisationCode":"error.msg.resource.not.found","errors":[{"developerMessage":"Reporting meta-data entry not found.","defaultUserMessage":"Reporting meta-data entry not found.","userMessageGlobalisationCode":"error.msg.report.name.not.found","parameterName":"id","value":null,"args":[{"value":"Report Name: OfficeIdSelectOne"}]}]} {code} On debug I see it is attempting to get _report parameters_ from report table stretchy_report but clearly these parameters are in `_stretchy_parameter_` {code:java} SELECT x.* FROM ( SELECT ifNull(report_type,'') AS report_type FROM `stretchy_report` WHERE report_name = 'OfficeIdSelectOne' AND self_service_user_report = 0 ) x; {code} Looking into this. . to tell whether or not it is supposed to lookup report parameters from `stretchy_report`. > SQL Injection - While "runreports" api is trying to load report parameters > -------------------------------------------------------------------------- > > Key: FINERACT-1338 > URL: https://issues.apache.org/jira/browse/FINERACT-1338 > Project: Apache Fineract > Issue Type: Bug > Reporter: Francis Guchie > Assignee: Francis Guchie > Priority: Major > Attachments: image-2021-03-31-15-53-00-571.png > > > After solving the error at FINERACT-1336 a new error shows up. > while api - runreports > fineract-provider/api/v1/runreports/OfficeIdSelectOne?parameterType=true > is spooling the report parameters, user will not see any error on the UI > !image-2021-03-31-15-53-00-571.png! > but looking through the console OR postman you see error below > { > "developerMessage": "The request was invalid. This typically will happen > due to validation errors which are provided.", > "httpStatusCode": "400", > "defaultUserMessage": "Unexpected SQL Commands found", > *"userMessageGlobalisationCode": "error.msg.found.sql.injection"* > } -- This message was sent by Atlassian Jira (v8.3.4#803005)