apache · adamsaghy · Feb 17, 2026 · Feb 14, 2026
diff --git a/.../main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataService.java b/.../main/java/org/apache/fineract/infrastructure/dataqueries/service/GenericDataService.java
@@ -31,6 +31,8 @@ public interface GenericDataService {
 
     List<ResultsetRowData> fillResultsetRowData(String sql, List<ResultsetColumnHeaderData> columnHeaders);
 
+    List<ResultsetRowData> fillResultsetRowData(String sql, List<ResultsetColumnHeaderData> columnHeaders, Object... args);
+
     String generateJsonFromGenericResultsetData(GenericResultsetData grs);
 
     String replace(String str, String pattern, String replace);

diff --git a/...java/org/apache/fineract/infrastructure/dataqueries/service/DatatableReadServiceImpl.java b/...java/org/apache/fineract/infrastructure/dataqueries/service/DatatableReadServiceImpl.java
@@ -263,8 +263,8 @@ public GenericResultsetData retrieveDataTableGenericResultSet(final String dataT
     @Override
     public Long countDatatableEntries(final String datatableName, final Long appTableId, String foreignKeyColumn) {
         final String sqlString = "SELECT COUNT(" + sqlGenerator.escape(foreignKeyColumn) + ") FROM " + sqlGenerator.escape(datatableName)
-                + " WHERE " + sqlGenerator.escape(foreignKeyColumn) + " = " + appTableId;
-        return this.jdbcTemplate.queryForObject(sqlString, Long.class); // NOSONAR
+                + " WHERE " + sqlGenerator.escape(foreignKeyColumn) + " = ?";
+        return this.jdbcTemplate.queryForObject(sqlString, Long.class, appTableId); // NOSONAR
     }
 
     @Override

diff --git a/...r/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/DatatableUtil.java b/...r/src/main/java/org/apache/fineract/infrastructure/dataqueries/service/DatatableUtil.java
@@ -23,6 +23,7 @@
 import static org.apache.fineract.infrastructure.dataqueries.api.DataTableApiConstant.TABLE_FIELD_ID;
 import static org.apache.fineract.infrastructure.dataqueries.api.DataTableApiConstant.TABLE_REGISTERED_TABLE;
 
+import java.util.ArrayList;
 import java.util.List;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -112,9 +113,10 @@ public EntityTables queryForApplicationEntity(final String datatable) {
     }
 
     public CommandProcessingResult checkMainResourceExistsWithinScope(@NonNull EntityTables entityTable, final Long appTableId) {
-        final String sql = dataScopedSQL(entityTable, appTableId);
+        final List<Object> params = new ArrayList<>();
+        final String sql = dataScopedSQL(entityTable, appTableId, params);
         log.debug("data scoped sql: {}", sql);
-        final SqlRowSet rs = this.jdbcTemplate.queryForRowSet(sql);
+        final SqlRowSet rs = this.jdbcTemplate.queryForRowSet(sql, params.toArray());
 
         if (!rs.next()) {
             throw new DatatableNotFoundException(entityTable, appTableId);
@@ -140,81 +142,110 @@ public CommandProcessingResult checkMainResourceExistsWithinScope(@NonNull Entit
                 .build();
     }
 
-    public String dataScopedSQL(@NonNull EntityTables entityTable, final Long appTableId) {
+    public String dataScopedSQL(@NonNull EntityTables entityTable, final Long appTableId, final List<Object> params) {
         // unfortunately have to, one way or another, be able to restrict data to the users office hierarchy. Here, a
         // few key tables are done. But if additional fields are needed on other tables the same pattern applies
         final AppUser currentUser = this.context.authenticatedUser();
         String officeHierarchy = currentUser.getOffice().getHierarchy();
+        String hierarchyPattern = officeHierarchy + "%";
         // m_loan and m_savings_account are connected to an m_office through either an m_client or an m_group If both it
         // means it relates to an m_client that is in a group (still an m_client account)
         return switch (entityTable) {
-            case LOAN -> "select distinct x.* from ( "
-                    + "(select o.id as officeId, l.group_id as groupId, l.client_id as clientId, null as savingsId, l.id as loanId, null as transactionId, null as entityId from m_loan l "
-                    + getClientOfficeJoinCondition(officeHierarchy, "l") + " where l.id = " + appTableId + ")" + " union all "
-                    + "(select o.id as officeId, l.group_id as groupId, l.client_id as clientId, null as savingsId, l.id as loanId, null as transactionId, null as entityId from m_loan l "
-                    + getGroupOfficeJoinCondition(officeHierarchy, "l") + " where l.id = " + appTableId + ")" + " ) as x";
-            case SAVINGS -> "select distinct x.* from ( "
-                    + "(select o.id as officeId, s.group_id as groupId, s.client_id as clientId, s.id as savingsId, null as loanId, null as transactionId, null as entityId "
-                    + "from m_savings_account s " + getClientOfficeJoinCondition(officeHierarchy, "s") + " where s.id = " + appTableId + ")"
-                    + " union all "
-                    + "(select o.id as officeId, s.group_id as groupId, s.client_id as clientId, s.id as savingsId, null as loanId, null as transactionId, null as entityId "
-                    + "from m_savings_account s " + getGroupOfficeJoinCondition(officeHierarchy, "s") + " where s.id = " + appTableId + ")"
-                    + " ) as x";
-            case SAVINGS_TRANSACTION -> "select distinct x.* from ( "
-                    + "(select o.id as officeId, s.group_id as groupId, s.client_id as clientId, s.id as savingsId, null as loanId, t.id as transactionId, null as entityId "
-                    + "from m_savings_account_transaction t join m_savings_account s on t.savings_account_id = s.id "
-                    + getClientOfficeJoinCondition(officeHierarchy, "s") + " where t.id = " + appTableId + ")" + " union all "
-                    + "(select o.id as officeId, s.group_id as groupId, s.client_id as clientId, s.id as savingsId, null as loanId, t.id as transactionId, null as entityId "
-                    + "from m_savings_account_transaction t join m_savings_account s on t.savings_account_id = s.id "
-                    + getGroupOfficeJoinCondition(officeHierarchy, "s") + " where t.id = " + appTableId + ")" + " ) as x";
-            case CLIENT ->
-                "select o.id as officeId, null as groupId, c.id as clientId, null as savingsId, null as loanId, null as transactionId, null as entityId from m_client c "
-                        + getOfficeJoinCondition(officeHierarchy, "c") + " where c.id = " + appTableId;
-            case GROUP, CENTER ->
-                "select o.id as officeId, g.id as groupId, null as clientId, null as savingsId, null as loanId, null as transactionId, null as entityId from m_group g "
-                        + getOfficeJoinCondition(officeHierarchy, "g") + " where g.id = " + appTableId;
-            case OFFICE ->
-                "select o.id as officeId, null as groupId, null as clientId, null as savingsId, null as loanId, null as transactionId, null as entityId from m_office o "
-                        + "where o.hierarchy like '" + officeHierarchy + "%'" + " and o.id = " + appTableId;
-            case LOAN_PRODUCT, SAVINGS_PRODUCT, SHARE_PRODUCT ->
-                "select null as officeId, null as groupId, null as clientId, null as savingsId, null as loanId, null as transactionId, p.id as entityId from "
-                        + entityTable.getName() + " as p WHERE p.id = " + appTableId;
+            case LOAN -> {
+                params.add(hierarchyPattern);
+                params.add(appTableId);
+                params.add(hierarchyPattern);
+                params.add(appTableId);
+                yield "select distinct x.* from ( "
+                        + "(select o.id as officeId, l.group_id as groupId, l.client_id as clientId, null as savingsId, l.id as loanId, null as transactionId, null as entityId from m_loan l "
+                        + getClientOfficeJoinCondition("l") + " where l.id = ?)" + " union all "
+                        + "(select o.id as officeId, l.group_id as groupId, l.client_id as clientId, null as savingsId, l.id as loanId, null as transactionId, null as entityId from m_loan l "
+                        + getGroupOfficeJoinCondition("l") + " where l.id = ?)" + " ) as x";
+            }
+            case SAVINGS -> {
+                params.add(hierarchyPattern);
+                params.add(appTableId);
+                params.add(hierarchyPattern);
+                params.add(appTableId);
+                yield "select distinct x.* from ( "
+                        + "(select o.id as officeId, s.group_id as groupId, s.client_id as clientId, s.id as savingsId, null as loanId, null as transactionId, null as entityId "
+                        + "from m_savings_account s " + getClientOfficeJoinCondition("s") + " where s.id = ?)" + " union all "
+                        + "(select o.id as officeId, s.group_id as groupId, s.client_id as clientId, s.id as savingsId, null as loanId, null as transactionId, null as entityId "
+                        + "from m_savings_account s " + getGroupOfficeJoinCondition("s") + " where s.id = ?)" + " ) as x";
+            }
+            case SAVINGS_TRANSACTION -> {
+                params.add(hierarchyPattern);
+                params.add(appTableId);
+                params.add(hierarchyPattern);
+                params.add(appTableId);
+                yield "select distinct x.* from ( "
+                        + "(select o.id as officeId, s.group_id as groupId, s.client_id as clientId, s.id as savingsId, null as loanId, t.id as transactionId, null as entityId "
+                        + "from m_savings_account_transaction t join m_savings_account s on t.savings_account_id = s.id "
+                        + getClientOfficeJoinCondition("s") + " where t.id = ?)" + " union all "
+                        + "(select o.id as officeId, s.group_id as groupId, s.client_id as clientId, s.id as savingsId, null as loanId, t.id as transactionId, null as entityId "
+                        + "from m_savings_account_transaction t join m_savings_account s on t.savings_account_id = s.id "
+                        + getGroupOfficeJoinCondition("s") + " where t.id = ?)" + " ) as x";
+            }
+            case CLIENT -> {
+                params.add(hierarchyPattern);
+                params.add(appTableId);
+                yield "select o.id as officeId, null as groupId, c.id as clientId, null as savingsId, null as loanId, null as transactionId, null as entityId from m_client c "
+                        + getOfficeJoinCondition("c") + " where c.id = ?";
+            }
+            case GROUP, CENTER -> {
+                params.add(hierarchyPattern);
+                params.add(appTableId);
+                yield "select o.id as officeId, g.id as groupId, null as clientId, null as savingsId, null as loanId, null as transactionId, null as entityId from m_group g "
+                        + getOfficeJoinCondition("g") + " where g.id = ?";
+            }
+            case OFFICE -> {
+                params.add(hierarchyPattern);
+                params.add(appTableId);
+                yield "select o.id as officeId, null as groupId, null as clientId, null as savingsId, null as loanId, null as transactionId, null as entityId from m_office o "
+                        + "where o.hierarchy like ? and o.id = ?";
+            }
+            case LOAN_PRODUCT, SAVINGS_PRODUCT, SHARE_PRODUCT -> {
+                params.add(appTableId);
+                yield "select null as officeId, null as groupId, null as clientId, null as savingsId, null as loanId, null as transactionId, p.id as entityId from "
+                        + entityTable.getName() + " as p WHERE p.id = ?";
+            }
             default -> throw new PlatformDataIntegrityException("error.msg.invalid.dataScopeCriteria",
                     "Application Table: " + entityTable.getName() + " not catered for in data Scoping");
         };
     }
 
-    public String getOfficeJoinCondition(String officeHierarchy, String joinTableAlias) {
-        return " join m_office o on o.id = " + joinTableAlias + ".office_id and o.hierarchy like '" + officeHierarchy + "%' ";
+    public String getOfficeJoinCondition(String joinTableAlias) {
+        return " join m_office o on o.id = " + joinTableAlias + ".office_id and o.hierarchy like ? ";
     }
 
-    public String getGroupOfficeJoinCondition(String officeHierarchy, String appTableAlias) {
-        return " join m_group g on g.id = " + appTableAlias + ".group_id " + getOfficeJoinCondition(officeHierarchy, "g");
+    public String getGroupOfficeJoinCondition(String appTableAlias) {
+        return " join m_group g on g.id = " + appTableAlias + ".group_id " + getOfficeJoinCondition("g");
     }
 
-    public String getClientOfficeJoinCondition(String officeHierarchy, String appTableAlias) {
-        return " join m_client c on c.id = " + appTableAlias + ".client_id " + getOfficeJoinCondition(officeHierarchy, "c");
+    public String getClientOfficeJoinCondition(String appTableAlias) {
+        return " join m_client c on c.id = " + appTableAlias + ".client_id " + getOfficeJoinCondition("c");
     }
 
     public GenericResultsetData retrieveDataTableGenericResultSet(final EntityTables entityTable, final String dataTableName,
             final Long appTableId, final String order, final Long id) {
         final List<ResultsetColumnHeaderData> columnHeaders = genericDataService.fillResultsetColumnHeaders(dataTableName);
         final boolean multiRow = isMultirowDatatable(columnHeaders);
 
-        String whereClause = getFKField(entityTable) + " = " + appTableId;
-        sqlValidator.validate(whereClause);
-        String sql = "select * from " + sqlGenerator.escape(dataTableName) + " where " + whereClause;
+        final List<Object> params = new ArrayList<>();
+        params.add(appTableId);
+        String sql = "select * from " + sqlGenerator.escape(dataTableName) + " where " + getFKField(entityTable) + " = ?";
 
         // id only used for reading a specific entry that belongs to appTableId (in a one to many datatable)
         if (multiRow && id != null) {
-            sql = sql + " and " + TABLE_FIELD_ID + " = " + id;
+            sql = sql + " and " + TABLE_FIELD_ID + " = ?";
+            params.add(id);
         }
         if (StringUtils.isNotBlank(order)) {
             columnValidator.validateSqlInjection(sql, order);
             sql = sql + " order by " + order;
         }
 
-        final List<ResultsetRowData> result = genericDataService.fillResultsetRowData(sql, columnHeaders);
+        final List<ResultsetRowData> result = genericDataService.fillResultsetRowData(sql, columnHeaders, params.toArray());
         return new GenericResultsetData(columnHeaders, result);
     }