/src/edu/ucsb/nceas/metacat/accesscontrol/AccessControlList.java - Diff - Metacat - Ecoinformatics Redmine

« Previous | Next »

Revision 6606

Added by ben leinfelder over 12 years ago

uses prepared statement instead of plain old statement.
deprecated the DBConnection.createStatement() method to discourage direct parameter value use in favor of parameter binding.
http://bugzilla.ecoinformatics.org/show_bug.cgi?id=5527

     package edu.ucsb.nceas.metacat.accesscontrol;
     import java.io.*;
     import java.sql.*;
     import java.io.IOException;
     import java.io.StringReader;
     import java.sql.PreparedStatement;
     import java.sql.ResultSet;
     import java.sql.SQLException;
     import java.util.Stack;
     import java.util.Vector;
     import org.apache.log4j.Logger;
     import org.xml.sax.Attributes;
     import org.xml.sax.InputSource;
     import org.xml.sax.ContentHandler;
     import org.xml.sax.EntityResolver;
     import org.xml.sax.ErrorHandler;
     import org.xml.sax.InputSource;
     import org.xml.sax.SAXException;
     import org.xml.sax.XMLReader;
     import org.xml.sax.helpers.DefaultHandler;
     import org.xml.sax.helpers.XMLReaderFactory;
     import org.xml.sax.helpers.DefaultHandler;
     import edu.ucsb.nceas.metacat.BasicNode;
     import edu.ucsb.nceas.metacat.DBEntityResolver;
     import edu.ucsb.nceas.metacat.DocumentImpl;
     import edu.ucsb.nceas.metacat.McdbException;
     import edu.ucsb.nceas.metacat.PermissionController;
     import edu.ucsb.nceas.metacat.database.DBConnection;
     import edu.ucsb.nceas.metacat.database.DBConnectionPool;
     import edu.ucsb.nceas.metacat.properties.PropertyService;
     import edu.ucsb.nceas.metacat.shared.AccessException;
     import edu.ucsb.nceas.metacat.util.MetacatUtil;
     import edu.ucsb.nceas.metacat.util.SystemUtil;
     import edu.ucsb.nceas.utilities.PropertyNotFoundException;
-...
+      {
         //DBConnection conn = null;
         //int serialNumber = -1;
         Statement stmt = null;
         PreparedStatement pstmt = null;
         try
+        {
           //check out DBConenction
           //conn=DBConnectionPool.getDBConnection("AccessControlList.deltePerm");
           //serialNumber=conn.getCheckOutSerialNumber();
         	String sql = "DELETE FROM xml_access WHERE accessfileid = ?";
           // delete all acl records for resources related to @aclid if any
           stmt = connection.createStatement();
           pstmt = connection.prepareStatement(sql);
           pstmt.setString(1, aclid);
           // Increase DBConnection usage count
           connection.increaseUsageCount(1);
           logMetacat.debug("running sql: " + stmt.toString());
           stmt.execute("DELETE FROM xml_access WHERE accessfileid = '" + aclid
                                                                           + "'");
           logMetacat.debug("running sql: " + pstmt.toString());
           pstmt.execute();
           //increase usageCount!!!!!!
           //conn.increaseUsageCount(1);
+        }
-...
+        }
         finally
+        {
           stmt.close();
           pstmt.close();
           //retrun DBConnection
           //DBConnectionPool.returnDBConnection(conn,serialNumber);
+        }

Also available in: Unified diff

Project

General

Profile

Metacat

Revision 6606

Added by ben leinfelder over 12 years ago