commit 0f32f237134aa2c455f30ad0d3ecb6ddfcea4d21
author Sunder Tattavarada <statta@research.att.com> Mon Jul 08 19:26:38 2019 +0000
committer Gerrit Code Review <gerrit@onap.org> Mon Jul 08 19:26:38 2019 +0000
tree 730d7c032cd762c6a9031b4261a361492c344eaf
parent 4f77c9f6c5539747c0fadd6028044e2ff2ceb8cf
parent 5247fe86ad346208a78b1bdd7565041018e56d57

Merge "Fix sql injection vulnerability"

ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java

diff --git a/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java b/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java
index b99863e..59180d3 100644
--- a/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java
+++ b/ecomp-portal-widget-ms/widget-ms/src/main/java/org/onap/portalapp/widget/service/impl/WidgetCatalogServiceImpl.java
@@ -244,16 +244,15 @@
 		logger.debug("WidgetCatalogServiceImpl.getWidgetCatalog: result={}", widgets);
 		return widgets;
 	}
-	
-	
-	
-	
-	
+
 	private void updateAppId(long widgetId, Set<RoleApp> roles){
 		Session session = sessionFactory.openSession();
 		for(RoleApp role: roles){
-			String sql = "UPDATE ep_widget_catalog_role SET app_id = " + role.getApp().getAppId() + " WHERE widget_id = " + widgetId + " AND ROLE_ID = " + role.getRoleId() ;
+			String sql = "UPDATE ep_widget_catalog_role SET app_id = :appId WHERE widget_id = :widgetId AND ROLE_ID = :roleId" ;
 			Query query = session.createSQLQuery(sql);
+			query.setParameter("appId", role.getApp().getAppId());
+			query.setParameter("widgetId", widgetId);
+			query.setParameter("roleId", role.getRoleId());
 			query.executeUpdate();
 		}
 		session.flush();