apache · patil-neha-3 · May 15, 2023 · May 15, 2023
diff --git a/...ineract/infrastructure/configuration/service/ExternalServicesReadPlatformServiceImpl.java b/...ineract/infrastructure/configuration/service/ExternalServicesReadPlatformServiceImpl.java
@@ -59,8 +59,8 @@ public ExternalServicesData getExternalServiceDetailsByServiceName(String servic
             default:
                 throw new ExternalServiceConfigurationNotFoundException(serviceName);
         }
-        final String sql = "SELECT es.name as name, es.id as id FROM c_external_service es where es.name='" + serviceNameToUse + "'";
-        final ExternalServicesData externalServicesData = this.jdbcTemplate.query(sql, resultSetExtractor); // NOSONAR
+        final String sql = "SELECT es.name as name, es.id as id FROM c_external_service es where es.name = ?";
+        final ExternalServicesData externalServicesData = this.jdbcTemplate.query(sql, resultSetExtractor, new Object[]{serviceNameToUse}); // NOSONAR
         return externalServicesData;
     }
 

diff --git a/...rc/main/java/org/apache/fineract/infrastructure/survey/service/ReadSurveyServiceImpl.java b/...rc/main/java/org/apache/fineract/infrastructure/survey/service/ReadSurveyServiceImpl.java
@@ -59,7 +59,7 @@ public List<SurveyDataTableData> retrieveAllSurveys() {
 
         String sql = this.retrieveAllSurveySQL("");
 
-        final SqlRowSet rs = this.jdbcTemplate.queryForRowSet(sql);
+        final SqlRowSet rs = this.jdbcTemplate.queryForRowSet(sql, new Object[] {this.context.authenticatedUser().getId(), DataTableApiConstant.CATEGORY_PPI});
 
         final List<SurveyDataTableData> surveyDataTables = new ArrayList<>();
         while (rs.next()) {
@@ -83,9 +83,9 @@ private String retrieveAllSurveySQL(String andClause) {
                 + " left join c_configuration cf on x_registered_table.registered_table_name = cf.name " + " where exists" + " (select 'f'"
                 + " from m_appuser_role ur " + " join m_role r on r.id = ur.role_id"
                 + " left join m_role_permission rp on rp.role_id = r.id" + " left join m_permission p on p.id = rp.permission_id"
-                + " where ur.appuser_id = " + this.context.authenticatedUser().getId()
+                + " where ur.appuser_id = ?"
                 + " and (p.code in ('ALL_FUNCTIONS', 'ALL_FUNCTIONS_READ') or p.code = concat('READ_', registered_table_name))) "
-                + " and x_registered_table.category = " + DataTableApiConstant.CATEGORY_PPI + andClause
+                + " and x_registered_table.category = ?" + andClause
                 + " order by application_table_name, registered_table_name";
     }
 
@@ -143,7 +143,7 @@ public List<ClientScoresOverview> retrieveClientSurveyScoreOverview(String surve
     @Override
     public List<ClientScoresOverview> retrieveClientSurveyScoreOverview(Long clientId) {
         final String surveyNameSql = retrieveAllSurveyNameSQL();
-        final SqlRowSet surveyNames = this.jdbcTemplate.queryForRowSet(surveyNameSql);
+        final SqlRowSet surveyNames = this.jdbcTemplate.queryForRowSet(surveyNameSql, new Object[] {this.context.authenticatedUser().getId(), DataTableApiConstant.CATEGORY_PPI});
 
         ArrayList<String> sqls = new ArrayList<>();
 
@@ -153,13 +153,13 @@ public List<ClientScoresOverview> retrieveClientSurveyScoreOverview(Long clientI
                     + " tz" + " JOIN ppi_likelihoods_ppi lkp on lkp.ppi_name = '" + surveyNames.getString("name") + "' AND enabled = '"
                     + LikelihoodStatus.ENABLED + "' JOIN ppi_scores sc on score_from  <= tz.score AND score_to >=tz.score"
                     + " JOIN ppi_poverty_line pvl on pvl.likelihood_ppi_id = lkp.id AND pvl.score_id = sc.id"
-                    + " JOIN ppi_likelihoods lkh on lkh.id = lkp.likelihood_id " + " WHERE  client_id = " + clientId);
+                    + " JOIN ppi_likelihoods lkh on lkh.id = lkp.likelihood_id " + " WHERE  client_id = ?");
         }
 
         List<ClientScoresOverview> scoresOverviews = new ArrayList<>();
 
         for (String sql : sqls) {
-            final SqlRowSet rs = this.jdbcTemplate.queryForRowSet(sql);
+            final SqlRowSet rs = this.jdbcTemplate.queryForRowSet(sql, new Object[] {clientId});
 
             while (rs.next()) {
                 scoresOverviews.add(new ClientScoresOverview().setLikelihoodCode(rs.getString("code"))
@@ -180,9 +180,9 @@ private String retrieveAllSurveyNameSQL() {
         return "select cf.name from x_registered_table " + " join c_configuration cf on x_registered_table.registered_table_name = cf.name "
                 + " where exists" + " (select 'f'" + " from m_appuser_role ur " + " join m_role r on r.id = ur.role_id"
                 + " left join m_role_permission rp on rp.role_id = r.id" + " left join m_permission p on p.id = rp.permission_id"
-                + " where ur.appuser_id = " + this.context.authenticatedUser().getId()
+                + " where ur.appuser_id = ?"
                 + " and (p.code in ('ALL_FUNCTIONS', 'ALL_FUNCTIONS_READ') or p.code = concat('READ_', registered_table_name))) "
-                + " and x_registered_table.category = " + DataTableApiConstant.CATEGORY_PPI
+                + " and x_registered_table.category = ?"
                 + " order by application_table_name, registered_table_name";
     }
 

diff --git a/...in/java/org/apache/fineract/organisation/teller/data/CashierTransactionDataValidator.java b/...in/java/org/apache/fineract/organisation/teller/data/CashierTransactionDataValidator.java
@@ -91,7 +91,7 @@ public void validateCashierAllowedDateAndTime(final Cashier cashier, final Telle
         /**
          * to validate cashier has not been assigned for same duration
          */
-        String sql = "select count(*) from m_cashiers c where c.staff_id = " + staffId + " AND " + "(('" + fromDate
+        String sql = "select count(*) from m_cashiers c where c.staff_id = ?" + " AND " + "(('" + fromDate
                 + "' BETWEEN c.start_date AND c.end_date OR '" + endDate + "' BETWEEN c.start_date AND c.end_date )"
                 + " OR ( c.start_date BETWEEN '" + fromDate + "' AND '" + endDate + "' OR c.end_date BETWEEN '" + fromDate + "' AND '"
                 + endDate + "'))";
@@ -101,7 +101,7 @@ public void validateCashierAllowedDateAndTime(final Cashier cashier, final Telle
             sql = sql + " AND ( Time(c.start_time) BETWEEN TIME(?) and TIME('" + endTime + "') or Time(c.end_time) BETWEEN TIME('"
                     + startTime + "') and TIME('" + endTime + "')) ";
         }
-        int count = this.jdbcTemplate.queryForObject(sql, Integer.class); // NOSONAR
+        int count = this.jdbcTemplate.queryForObject(sql, Integer.class, new Object[] {staffId}); // NOSONAR
         if (count > 0) {
             throw new CashierAlreadyAlloacated();
         }