Project

General

Profile

« Previous | Next » 

Revision 6606

Added by ben leinfelder over 12 years ago

uses prepared statement instead of plain old statement.
deprecated the DBConnection.createStatement() method to discourage direct parameter value use in favor of parameter binding.
http://bugzilla.ecoinformatics.org/show_bug.cgi?id=5527

View differences:

DBEntityResolver.java
217 217 
                 throws SAXException
218 218 
  {
219 219 
    String systemid = null;
220 
    Statement stmt = null;
220 
    PreparedStatement pstmt = null;
221 221 
    DBConnection conn = null;
222 222 
    int serialNumber = -1;
223 223 
    try {
......
225 225 
      conn=DBConnectionPool.getDBConnection("DBEntityResolver.getDTDSystemID");
226 226 
      serialNumber=conn.getCheckOutSerialNumber();
227 227 

  		




  228
  
  
    
      stmt = conn.createStatement();


  		




  229
  
  
    
      stmt.execute("SELECT system_id FROM xml_catalog " +


  		




  230
  
  
    
                   "WHERE entry_type = 'DTD' AND public_id = '" +


  		




  231
  
  
    
                   doctype + "'");


  		




  232
  
  
    
      ResultSet rs = stmt.getResultSet();


  		




  
  228
  
    
      String sql = "SELECT system_id FROM xml_catalog " +


  		




  
  229
  
    
      "WHERE entry_type = 'DTD' AND public_id = ?";


  		




  
  230
  
    
      


  		




  
  231
  
    
      pstmt = conn.prepareStatement(sql);


  		




  
  232
  
    
      pstmt.setString(1, doctype);


  		




  
  233
  
    
      


  		




  
  234
  
    
      pstmt.execute();


  		




  
  235
  
    
      ResultSet rs = pstmt.getResultSet();


  		




  233
  236
  
    
      boolean tableHasRows = rs.next();


  		




  234
  237
  
    
      if (tableHasRows) {


  		




  235
  238
  
    
        systemid = rs.getString(1);


  		




  ......




  238
  241
  
    
        	systemid = SystemUtil.getContextURL() + systemid;


  		




  239
  242
  
    
        }


  		




  240
  243
  
    
      }


  		




  241
  
  
    
      stmt.close();


  		




  
  244
  
    
      pstmt.close();


  		




  242
  245
  
    
    } catch (SQLException e) {


  		




  243
  246
  
    
      throw new SAXException


  		




  244
  247
  
    
      ("DBEntityResolver.getDTDSystemID - SQL error when getting DTD system ID: " + e.getMessage());


  		




  ......




  250
  253
  
    
    {


  		




  251
  254
  
    
      try


  		




  252
  255
  
    
      {


  		




  253
  
  
    
        stmt.close();


  		




  
  256
  
    
        pstmt.close();


  		




  254
  257
  
    
      }//try


  		




  255
  258
  
    
      catch (SQLException sqlE)


  		




  256
  259
  
    
      {


  		












Also available in:  Unified diff