Merge "Fix sql injection vulnerability"

author: Sunder Tattavarada <statta@research.att.com> 2019-07-08 19:27:46 +0000
committer: Gerrit Code Review <gerrit@onap.org> 2019-07-08 19:27:46 +0000
commit: 10666973ce95e8f5768973fe0a151899a38eef02 (patch)
tree: f4b2ebebea710f54414423ff73a04f044acb34d4 /ecomp-portal-BE-common/src/main
parent: 3f56b9fdb4d2ec891344d6c9048363e1cac587d2 (diff)
parent: d38e7941361188f3d114f2f25258a0024f2a2f90 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 1d9ed57e..bc0fd06d 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -283,7 +283,10 @@ public class UserRolesCommonServiceImpl  {
 			transaction = localSession.beginTransaction();
 			@SuppressWarnings("unchecked")
 			List<EPUser> userList = localSession
-					.createQuery("from " + EPUser.class.getName() + " where orgUserId='" + userId + "'").list();
+					.createQuery("from :name where orgUserId=:userId")
+					.setParameter("name",EPUser.class.getName())
+					.setParameter("userId",userId)
+					.list();
 			if (userList.size() > 0) {
 				EPUser client = userList.get(0);
 				roleActive = ("DELETE".equals(reqType)) ? "" : " and role.active = 'Y'";
author	Sunder Tattavarada <statta@research.att.com>	2019-07-08 19:27:46 +0000
committer	Gerrit Code Review <gerrit@onap.org>	2019-07-08 19:27:46 +0000
commit	10666973ce95e8f5768973fe0a151899a38eef02 (patch)
tree	f4b2ebebea710f54414423ff73a04f044acb34d4 /ecomp-portal-BE-common/src/main
parent	3f56b9fdb4d2ec891344d6c9048363e1cac587d2 (diff)
parent	d38e7941361188f3d114f2f25258a0024f2a2f90 (diff)