Add fix for SQL injection.

[policy/engine.git] / POLICY-SDK-APP / src / main / java / org / onap / policy / admin / PolicyNotificationMail.java

diff --git a/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyNotificationMail.java b/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyNotificationMail.java
index bf89c01..a4e4762 100644 (file)
--- a/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyNotificationMail.java
+++ b/POLICY-SDK-APP/src/main/java/org/onap/policy/admin/PolicyNotificationMail.java
@@ -30,6 +30,7 @@ import java.util.Properties;
 import javax.mail.MessagingException;
 import javax.mail.internet.InternetAddress;
 import javax.mail.internet.MimeMessage;
+import javax.script.SimpleBindings;
 
 import org.onap.policy.common.logging.flexlogger.FlexLogger;
 import org.onap.policy.common.logging.flexlogger.Logger;
@@ -116,9 +117,12 @@ public class PolicyNotificationMail{
                        policyFileName = policyFileName.replace("\\", "\\\\");
                }
                
-               String query = "from WatchPolicyNotificationTable where policyName like'" +policyFileName+"%'";
+               policyFileName += "%";
+               String query = "from WatchPolicyNotificationTable where policyName like:policyFileName";
                boolean sendFlag = false;
-               List<Object> watchList = policyNotificationDao.getDataByQuery(query);
+               SimpleBindings params = new SimpleBindings();
+               params.put("policyFileName", policyFileName);
+               List<Object> watchList = policyNotificationDao.getDataByQuery(query, params);
                if(watchList != null && !watchList.isEmpty()){
                        for(Object watch : watchList){
                                WatchPolicyNotificationTable list = (WatchPolicyNotificationTable) watch;