Revision 6606
Added by ben leinfelder over 12 years ago
DBEntityResolver.java | ||
---|---|---|
217 | 217 |
throws SAXException |
218 | 218 |
{ |
219 | 219 |
String systemid = null; |
220 |
Statement stmt = null;
|
|
220 |
PreparedStatement pstmt = null;
|
|
221 | 221 |
DBConnection conn = null; |
222 | 222 |
int serialNumber = -1; |
223 | 223 |
try { |
... | ... | |
225 | 225 |
conn=DBConnectionPool.getDBConnection("DBEntityResolver.getDTDSystemID"); |
226 | 226 |
serialNumber=conn.getCheckOutSerialNumber(); |
227 | 227 |
|
228 |
stmt = conn.createStatement(); |
|
229 |
stmt.execute("SELECT system_id FROM xml_catalog " + |
|
230 |
"WHERE entry_type = 'DTD' AND public_id = '" + |
|
231 |
doctype + "'"); |
|
232 |
ResultSet rs = stmt.getResultSet(); |
|
228 |
String sql = "SELECT system_id FROM xml_catalog " + |
|
229 |
"WHERE entry_type = 'DTD' AND public_id = ?"; |
|
230 |
|
|
231 |
pstmt = conn.prepareStatement(sql); |
|
232 |
pstmt.setString(1, doctype); |
|
233 |
|
|
234 |
pstmt.execute(); |
|
235 |
ResultSet rs = pstmt.getResultSet(); |
|
233 | 236 |
boolean tableHasRows = rs.next(); |
234 | 237 |
if (tableHasRows) { |
235 | 238 |
systemid = rs.getString(1); |
... | ... | |
238 | 241 |
systemid = SystemUtil.getContextURL() + systemid; |
239 | 242 |
} |
240 | 243 |
} |
241 |
stmt.close(); |
|
244 |
pstmt.close();
|
|
242 | 245 |
} catch (SQLException e) { |
243 | 246 |
throw new SAXException |
244 | 247 |
("DBEntityResolver.getDTDSystemID - SQL error when getting DTD system ID: " + e.getMessage()); |
... | ... | |
250 | 253 |
{ |
251 | 254 |
try |
252 | 255 |
{ |
253 |
stmt.close(); |
|
256 |
pstmt.close();
|
|
254 | 257 |
}//try |
255 | 258 |
catch (SQLException sqlE) |
256 | 259 |
{ |
Also available in: Unified diff
uses prepared statement instead of plain old statement.
deprecated the DBConnection.createStatement() method to discourage direct parameter value use in favor of parameter binding.
http://bugzilla.ecoinformatics.org/show_bug.cgi?id=5527