Revision 6606
Added by ben leinfelder over 12 years ago
DBSAXHandler.java | ||
---|---|---|
27 | 27 |
|
28 | 28 |
package edu.ucsb.nceas.metacat; |
29 | 29 |
|
30 |
import java.sql.PreparedStatement; |
|
30 | 31 |
import java.sql.ResultSet; |
31 | 32 |
import java.sql.Statement; |
32 | 33 |
import java.util.Date; |
... | ... | |
361 | 362 |
.getDBConnection("DBSAXHandler.startElement"); |
362 | 363 |
serialNumber = dbConn.getCheckOutSerialNumber(); |
363 | 364 |
|
364 |
Statement stmt = dbConn.createStatement(); |
|
365 |
ResultSet rs = stmt |
|
366 |
.executeQuery("SELECT catalog_id FROM xml_catalog " |
|
367 |
+ "WHERE entry_type = 'DTD' " |
|
368 |
+ "AND public_id = '" + doctype + "'"); |
|
365 |
String sql = "SELECT catalog_id FROM xml_catalog " |
|
366 |
+ "WHERE entry_type = 'DTD' " |
|
367 |
+ "AND public_id = ?"; |
|
368 |
|
|
369 |
PreparedStatement pstmt = dbConn.prepareStatement(sql); |
|
370 |
pstmt.setString(1, doctype); |
|
371 |
ResultSet rs = pstmt.executeQuery(); |
|
369 | 372 |
boolean hasRow = rs.next(); |
370 | 373 |
if (hasRow) { |
371 | 374 |
catalogid = rs.getString(1); |
372 | 375 |
} |
373 |
stmt.close(); |
|
376 |
pstmt.close();
|
|
374 | 377 |
}//try |
375 | 378 |
finally { |
376 | 379 |
// Return dbconnection |
377 |
DBConnectionPool.returnDBConnection(dbConn, |
|
378 |
serialNumber); |
|
380 |
DBConnectionPool.returnDBConnection(dbConn, serialNumber); |
|
379 | 381 |
}//finally |
380 | 382 |
} |
381 | 383 |
|
Also available in: Unified diff
uses prepared statement instead of plain old statement.
deprecated the DBConnection.createStatement() method to discourage direct parameter value use in favor of parameter binding.
http://bugzilla.ecoinformatics.org/show_bug.cgi?id=5527