Update SQL generators to use sanitization of strings used in query

We currently use prepared statements to sanitize our fields and block injection based attacks. There is a few fields where, with enough effort, the checks could potentially be circumvented. An example of this is the field name in the order by clause of the HQLGenerator class. Usage of this class is still rare, so the risk is low but we should fix this hole sooner rather than later.

assigned to @malowe

added persistence + 1 deleted label

added Enhancement label

added to epic eclipsefdn&15 (closed)

added statetodo label

added statewip label and removed statetodo label

Currently, we already implement the industry recommended secure querying for Java, see https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html#MySQL_Escaping. We implement prepared statements with bound parameters meaning that the values that are passed are as safe as they can be already. Sanitizing the values any farther will likely just lead in no gain in security and instead risk lower data integrity. Closing this issue.

closed

mentioned in issue #68 (moved)