Merge "Fix sql injection vulnerability"

[portal.git] / ecomp-portal-BE-common / src / main / java / org / onap / portalapp / portal / service / UserRolesCommonServiceImpl.java

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index a216564..b41dcd7 100644 (file)
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -291,8 +291,12 @@ public class UserRolesCommonServiceImpl  {
                                EPUser client = userList.get(0);
                                roleActive = ("DELETE".equals(reqType)) ? "" : " and role.active = 'Y'";
                                @SuppressWarnings("unchecked")
-                               List<EPUserApp> userRoles = localSession.createQuery("from " + EPUserApp.class.getName()
-                                               + " where app.id=" + appId + roleActive + " and userId=" + client.getId()).list();
+                               List<EPUserApp> userRoles = localSession.createQuery("from :name where app.id=:appId :roleActive and userId=:userId")
+                                               .setParameter("name",EPUserApp.class.getName())
+                                               .setParameter("appId",appId)
+                                               .setParameter("roleActive",roleActive)
+                                               .setParameter("userId",client.getId())
+                                               .list();
                                
                                if ("DELETE".equals(reqType)) {
                                        for (EPUserApp userAppRoleList : userRoles) {