Project

General

Profile

« Previous | Next » 

Revision 6606

Added by ben leinfelder over 12 years ago

uses prepared statement instead of plain old statement.
deprecated the DBConnection.createStatement() method to discourage direct parameter value use in favor of parameter binding.
http://bugzilla.ecoinformatics.org/show_bug.cgi?id=5527

View differences:

DBSAXHandler.java
27 27 

  		




  28
  28
  
    
package edu.ucsb.nceas.metacat;


  		




  29
  29
  
    

  		




  
  30
  
    
import java.sql.PreparedStatement;


  		




  30
  31
  
    
import java.sql.ResultSet;


  		




  31
  32
  
    
import java.sql.Statement;


  		




  32
  33
  
    
import java.util.Date;


  		




  ......




  361
  362
  
    
                                .getDBConnection("DBSAXHandler.startElement");


  		




  362
  363
  
    
                        serialNumber = dbConn.getCheckOutSerialNumber();


  		




  363
  364
  
    

  		




  364
  
  
    
                        Statement stmt = dbConn.createStatement();


  		




  365
  
  
    
                        ResultSet rs = stmt


  		




  366
  
  
    
                                .executeQuery("SELECT catalog_id FROM xml_catalog "


  		




  367
  
  
    
                                        + "WHERE entry_type = 'DTD' "


  		




  368
  
  
    
                                        + "AND public_id = '" + doctype + "'");


  		




  
  365
  
    
                        String sql = "SELECT catalog_id FROM xml_catalog "


  		




  
  366
  
    
                            + "WHERE entry_type = 'DTD' "


  		




  
  367
  
    
                            + "AND public_id = ?";


  		




  
  368
  
    
                        	


  		




  
  369
  
    
                        PreparedStatement pstmt = dbConn.prepareStatement(sql);


  		




  
  370
  
    
                        pstmt.setString(1, doctype);


  		




  
  371
  
    
                        ResultSet rs = pstmt.executeQuery();


  		




  369
  372
  
    
                        boolean hasRow = rs.next();


  		




  370
  373
  
    
                        if (hasRow) {


  		




  371
  374
  
    
                            catalogid = rs.getString(1);


  		




  372
  375
  
    
                        }


  		




  373
  
  
    
                        stmt.close();


  		




  
  376
  
    
                        pstmt.close();


  		




  374
  377
  
    
                    }//try


  		




  375
  378
  
    
                    finally {


  		




  376
  379
  
    
                        // Return dbconnection


  		




  377
  
  
    
                        DBConnectionPool.returnDBConnection(dbConn,


  		




  378
  
  
    
                                serialNumber);


  		




  
  380
  
    
                        DBConnectionPool.returnDBConnection(dbConn, serialNumber);


  		




  379
  381
  
    
                    }//finally


  		




  380
  382
  
    
                }


  		




  381
  383
  
    

  		












Also available in:  Unified diff