The Fineract code base in many places creates SQL statements through String concatenation. This is prone to SQL injection. This is mitigated by the use of helpers utilities such as org.apache.fineract.infrastructure.core.api.ApiParameterHelper.sqlEncodeString(String) and org.apache.fineract.infrastructure.security.utils.SQLInjectionValidator.validateSQLInput(String) but I opine that those are workarounds... the better solution, both for security and likely also helping with performance (at least a little bit, knowing how much would require measuring it...), would be to use JDBC prepared statements with '?' placeholders and passing all raw arguments, instead of embedding them in the query String.
FINERACT-808 root cause analysis brought this up, and I'm about to raise a PR for FINERACT-808 which makes a start; the goal of this issue is to use the new org.apache.fineract.infrastructure.security.utils.SQLBuilder everywhere, and eventually be able to get completely rid of ApiParameterHelper and SQLInjectionValidator.
This issue should also include work to scan the code base for places where SQL Strings are concatenated without even using the existing helpers. FINERACT-853 could potentially help with that.