Fixes issue 41242: DocFINBankStatement.createFact is not using bind-params
authorArmaignac <collazoandy4@gmail.com>
Mon, 22 Jul 2019 17:04:40 -0400
changeset 36429 057aaf20b293
parent 36428 3bc6b379f2cf
child 36430 18b55aec2e34
Fixes issue 41242: DocFINBankStatement.createFact is not using bind-params

Added missing bind-params
src/org/openbravo/erpCommon/ad_forms/DocFINBankStatement.java
--- a/src/org/openbravo/erpCommon/ad_forms/DocFINBankStatement.java	Mon Jul 22 16:21:04 2019 -0400
+++ b/src/org/openbravo/erpCommon/ad_forms/DocFINBankStatement.java	Mon Jul 22 17:04:40 2019 -0400
@@ -86,14 +86,16 @@
     try {
       //@formatter:off
       String whereClause = " as astdt "
-          + " where astdt.acctschemaTable.accountingSchema.id = "
-          + " '" + as.m_C_AcctSchema_ID + "'"
-          + "   and astdt.acctschemaTable.table.id = '" + AD_Table_ID + "'"
-          + "   and astdt.documentCategory = '" + DocumentType + "'";
+          + " where astdt.acctschemaTable.accountingSchema.id = :accountSchemaId"
+          + "   and astdt.acctschemaTable.table.id = :tableId"
+          + "   and astdt.documentCategory = :documentTypeId";
       //@formatter:on
 
       final OBQuery<AcctSchemaTableDocType> obqParameters = OBDal.getInstance()
           .createQuery(AcctSchemaTableDocType.class, whereClause);
+      obqParameters.setNamedParameter("accountSchemaId", as.m_C_AcctSchema_ID);
+      obqParameters.setNamedParameter("tableId", AD_Table_ID);
+      obqParameters.setNamedParameter("documentTypeId", DocumentType);
       final List<AcctSchemaTableDocType> acctSchemaTableDocTypes = obqParameters.list();
 
       if (acctSchemaTableDocTypes != null && acctSchemaTableDocTypes.size() > 0
@@ -104,14 +106,14 @@
       if (strClassname.equals("")) {
         //@formatter:off
         String whereClause2 = " as ast "
-            + " where ast.accountingSchema.id = "
-            + " '" + as.m_C_AcctSchema_ID + "'"
-            + "   and ast.table.id = "
-            + " '" + AD_Table_ID + "'";
+            + " where ast.accountingSchema.id = :accountSchemaId"
+            + "   and ast.table.id = :adTableId";
         //@formatter:on
 
         final OBQuery<AcctSchemaTable> obqParameters2 = OBDal.getInstance()
             .createQuery(AcctSchemaTable.class, whereClause2);
+        obqParameters2.setNamedParameter("accountSchemaId", as.m_C_AcctSchema_ID);
+        obqParameters2.setNamedParameter("adTableId", AD_Table_ID);
         final List<AcctSchemaTable> acctSchemaTables = obqParameters2.list();
         if (acctSchemaTables != null && acctSchemaTables.size() > 0
             && acctSchemaTables.get(0).getCreatefactTemplate() != null) {