details: https://code.openbravo.com/erp/devel/pi/rev/a5d02171e10c changeset: 35702:a5d02171e10c user: Nono Carballo <nonofce <at> gmail.com> date: Thu Apr 25 12:39:23 2019 +0200 summary: Fixes issue 40522: Prevents use of string concatenation in query
Query to get business partners was formed using string concatenation. This fix replaces the string concatenation by bind parameters in query. details: https://code.openbravo.com/erp/devel/pi/rev/cfc6ddc67eb0 changeset: 35703:cfc6ddc67eb0 user: Sandra Huguet <sandra.huguet <at> openbravo.com> date: Thu Apr 25 13:12:34 2019 +0200 summary: related to issue 40522 code review changes diffstat: modules/org.openbravo.advpaymentmngt/src/org/openbravo/advpaymentmngt/utility/FIN_BankStatementImport.java | 12 +++++++-- 1 files changed, 9 insertions(+), 3 deletions(-) diffs (37 lines): diff -r 1fbbfb4e42f7 -r cfc6ddc67eb0 modules/org.openbravo.advpaymentmngt/src/org/openbravo/advpaymentmngt/utility/FIN_BankStatementImport.java --- a/modules/org.openbravo.advpaymentmngt/src/org/openbravo/advpaymentmngt/utility/FIN_BankStatementImport.java Wed Apr 24 13:21:07 2019 +0200 +++ b/modules/org.openbravo.advpaymentmngt/src/org/openbravo/advpaymentmngt/utility/FIN_BankStatementImport.java Thu Apr 25 13:12:34 2019 +0200 @@ -11,7 +11,7 @@ * under the License. * The Original Code is Openbravo ERP. * The Initial Developer of the Original Code is Openbravo SLU - * All portions are Copyright (C) 2010-2018 Openbravo SLU + * All portions are Copyright (C) 2010-2019 Openbravo SLU * All Rights Reserved. * Contributor(s): ______________________________________. ************************************************************************* @@ -409,9 +409,14 @@ whereClause.append("select b.id as id, b.name as name from "); whereClause.append(" BusinessPartner b "); whereClause.append(" where ("); + HashMap<String, String> tokenPrams = new HashMap<>(); + int tokenIndex = 0; for (String token : list) { - whereClause.append( - " lower(b." + BusinessPartner.PROPERTY_NAME + ") like lower('%" + token + "%') or "); + String tokenParamName = String.format("token_%d", tokenIndex); + tokenPrams.put(tokenParamName, "%" + token + "%"); + whereClause.append(" lower(b." + BusinessPartner.PROPERTY_NAME + ") like lower(:" + + tokenParamName + " ) or "); + tokenIndex++; } whereClause.delete(whereClause.length() - 3, whereClause.length()).append(")"); whereClause.append(" and b." + BusinessPartner.PROPERTY_ORGANIZATION + ".id in ("); @@ -420,6 +425,7 @@ final Query<Object[]> bl = OBDal.getInstance() .getSession() .createQuery(whereClause.toString(), Object[].class); + bl.setProperties(tokenPrams); businessPartnersScroll = bl.scroll(ScrollMode.SCROLL_SENSITIVE); if (!businessPartnersScroll.next()) { _______________________________________________ Openbravo-commits mailing list Openbravo-commits@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openbravo-commits