[#12901] Added the check for search service and moved the method to the correct file

src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java

@@ -192,19 +192,4 @@ public void testSqlInjectionInDeleteAccountRequest() throws Exception {
         AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute());
         assertEquals(accountRequest, actual);
     }
-
-    @Test
-    public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception {
-        ______TS("SQL Injection test in searchAccountRequestsInWholeSystem");
-
-        AccountRequest accountRequest = new AccountRequest("test@gmail.com", "name", "institute");
-        accountRequestDb.createAccountRequest(accountRequest);
-
-        String searchInjection = "institute'; DROP TABLE account_requests; --";
-        List<AccountRequest> actualInjection = accountRequestDb.searchAccountRequestsInWholeSystem(searchInjection);
-        assertEquals(0, actualInjection.size());
-
-        AccountRequest actual = accountRequestDb.getAccountRequest("test@gmail.com", "institute");
-        assertEquals(accountRequest, actual);
-    }
-}
+}

src/it/java/teammates/it/storage/sqlsearch/AccountRequestSearchIT.java

@@ -164,4 +164,23 @@ private static void verifySearchResults(List<AccountRequest> actual,
         AssertHelper.assertSameContentIgnoreOrder(Arrays.asList(expected), actual);
     }
 
-}
+    @Test
+    public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception {
+
+        if (!TestProperties.isSearchServiceActive()) { 
+            return; 
+        } 
+
+        ______TS("SQL Injection test in searchAccountRequestsInWholeSystem");
+
+        AccountRequest accountRequest = new AccountRequest("test@gmail.com", "name", "institute");
+        accountRequestsDb.createAccountRequest(accountRequest);
+
+        String searchInjection = "institute'; DROP TABLE account_requests; --";
+        List<AccountRequest> actualInjection = accountRequestsDb.searchAccountRequestsInWholeSystem(searchInjection);
+        assertEquals(0, actualInjection.size());
+
+        AccountRequest actual = accountRequestsDb.getAccountRequest("test@gmail.com", "institute");
+        assertEquals(accountRequest, actual);
+    }
+}

src/main/java/teammates/storage/sqlsearch/AccountRequestSearchManager.java

@@ -5,6 +5,7 @@
 
 import org.apache.solr.client.solrj.SolrQuery;
 import org.apache.solr.client.solrj.response.QueryResponse;
+import org.apache.solr.client.solrj.util.ClientUtils;
 import org.apache.solr.common.SolrDocument;
 
 import teammates.common.exception.SearchServiceException;
@@ -50,7 +51,10 @@ void sortResult(List<AccountRequest> result) {
      * Searches for account requests.
      */
     public List<AccountRequest> searchAccountRequests(String queryString) throws SearchServiceException {
-        SolrQuery query = getBasicQuery(queryString);
+        // Escape special characters in the query string
+        String escapedQueryString = ClientUtils.escapeQueryChars(queryString);
+
+        SolrQuery query = getBasicQuery(escapedQueryString);
 
         QueryResponse response = performQuery(query);
         return convertDocumentToEntities(response.getResults());