Project

General

Profile

Revision 6606

uses prepared statement instead of plain old statement.
deprecated the DBConnection.createStatement() method to discourage direct parameter value use in favor of parameter binding.
http://bugzilla.ecoinformatics.org/show_bug.cgi?id=5527

View differences:

test/edu/ucsb/nceas/MCTestCase.java
25 25

  
26 26
package edu.ucsb.nceas;
27 27

  
28
import junit.framework.TestCase;
29

  
30 28
import java.io.BufferedReader;
31 29
import java.io.File;
32 30
import java.io.FileReader;
......
38 36
import java.sql.ResultSet;
39 37
import java.sql.ResultSetMetaData;
40 38
import java.sql.SQLException;
41
import java.sql.Statement;
42
import java.util.Calendar;
43
import java.util.Date;
44
import java.util.GregorianCalendar;
45 39
import java.util.HashMap;
46 40
import java.util.Hashtable;
47
import java.util.SimpleTimeZone;
48
import java.util.TimeZone;
49 41
import java.util.Vector;
50 42

  
43
import junit.framework.TestCase;
44

  
51 45
import org.apache.http.client.HttpClient;
52 46
import org.apache.http.impl.client.DefaultHttpClient;
53 47

  
54
import edu.ucsb.nceas.metacat.database.DBConnection;
55
import edu.ucsb.nceas.metacat.database.DBConnectionPool;
56 48
import edu.ucsb.nceas.metacat.client.InsufficientKarmaException;
57 49
import edu.ucsb.nceas.metacat.client.Metacat;
58 50
import edu.ucsb.nceas.metacat.client.MetacatException;
59 51
import edu.ucsb.nceas.metacat.client.MetacatFactory;
60 52
import edu.ucsb.nceas.metacat.client.MetacatInaccessibleException;
53
import edu.ucsb.nceas.metacat.database.DBConnection;
54
import edu.ucsb.nceas.metacat.database.DBConnectionPool;
61 55
import edu.ucsb.nceas.metacat.properties.PropertyService;
62 56
import edu.ucsb.nceas.metacat.shared.ServiceException;
63 57
import edu.ucsb.nceas.metacat.util.DocumentUtil;
......
508 502
	protected static void dbQuery(String sqlStatement, String methodName)
509 503
			throws SQLException {
510 504

  
511
		DBConnectionPool connPool = DBConnectionPool.getInstance();
512 505
		DBConnection dbconn = DBConnectionPool.getDBConnection(methodName);
513 506
		int serialNumber = dbconn.getCheckOutSerialNumber();
514 507

  
515
		Statement statement = dbconn.createStatement();
516

  
508
		PreparedStatement statement = dbconn.prepareStatement(sqlStatement);
517 509
		debug("Executing against db: " + sqlStatement);
518
		statement.executeQuery(sqlStatement);
510
		statement.executeQuery();
519 511

  
520 512
		statement.close();
521 513
		
......
525 517
	protected static void dbUpdate(String sqlStatement, String methodName)
526 518
			throws SQLException {
527 519

  
528
		DBConnectionPool connPool = DBConnectionPool.getInstance();
529 520
		DBConnection dbconn = DBConnectionPool.getDBConnection(methodName);
530 521
		int serialNumber = dbconn.getCheckOutSerialNumber();
531 522

  
532
		Statement statement = dbconn.createStatement();
533

  
523
		PreparedStatement statement = dbconn.prepareStatement(sqlStatement);
534 524
		debug("Executing against db: " + sqlStatement);
535
		statement.executeUpdate(sqlStatement);
536

  
525
		statement.executeUpdate();
537 526
		statement.close();
538 527

  
539 528
		DBConnectionPool.returnDBConnection(dbconn, serialNumber);
src/edu/ucsb/nceas/metacat/accesscontrol/AccessControlList.java
27 27

  
28 28
package edu.ucsb.nceas.metacat.accesscontrol;
29 29

  
30
import java.io.*;
31
import java.sql.*;
30
import java.io.IOException;
31
import java.io.StringReader;
32
import java.sql.PreparedStatement;
33
import java.sql.ResultSet;
34
import java.sql.SQLException;
32 35
import java.util.Stack;
33 36
import java.util.Vector;
34 37

  
35 38
import org.apache.log4j.Logger;
36 39
import org.xml.sax.Attributes;
37
import org.xml.sax.InputSource;
38 40
import org.xml.sax.ContentHandler;
39 41
import org.xml.sax.EntityResolver;
40 42
import org.xml.sax.ErrorHandler;
43
import org.xml.sax.InputSource;
41 44
import org.xml.sax.SAXException;
42 45
import org.xml.sax.XMLReader;
46
import org.xml.sax.helpers.DefaultHandler;
43 47
import org.xml.sax.helpers.XMLReaderFactory;
44
import org.xml.sax.helpers.DefaultHandler;
45 48

  
46 49
import edu.ucsb.nceas.metacat.BasicNode;
47 50
import edu.ucsb.nceas.metacat.DBEntityResolver;
48 51
import edu.ucsb.nceas.metacat.DocumentImpl;
49 52
import edu.ucsb.nceas.metacat.McdbException;
50
import edu.ucsb.nceas.metacat.PermissionController;
51 53
import edu.ucsb.nceas.metacat.database.DBConnection;
52 54
import edu.ucsb.nceas.metacat.database.DBConnectionPool;
53 55
import edu.ucsb.nceas.metacat.properties.PropertyService;
54
import edu.ucsb.nceas.metacat.shared.AccessException;
55
import edu.ucsb.nceas.metacat.util.MetacatUtil;
56 56
import edu.ucsb.nceas.metacat.util.SystemUtil;
57 57
import edu.ucsb.nceas.utilities.PropertyNotFoundException;
58 58

  
......
478 478
  {
479 479
    //DBConnection conn = null;
480 480
    //int serialNumber = -1;
481
    Statement stmt = null;
481
    PreparedStatement pstmt = null;
482 482
    try
483 483
    {
484 484
      //check out DBConenction
485 485
      //conn=DBConnectionPool.getDBConnection("AccessControlList.deltePerm");
486 486
      //serialNumber=conn.getCheckOutSerialNumber();
487
    	String sql = "DELETE FROM xml_access WHERE accessfileid = ?";
487 488
      // delete all acl records for resources related to @aclid if any
488
      stmt = connection.createStatement();
489
      pstmt = connection.prepareStatement(sql);
490
      pstmt.setString(1, aclid);
489 491
      // Increase DBConnection usage count
490 492
      connection.increaseUsageCount(1);
491
      logMetacat.debug("running sql: " + stmt.toString());
492
      stmt.execute("DELETE FROM xml_access WHERE accessfileid = '" + aclid 
493
                                                                      + "'");
493
      logMetacat.debug("running sql: " + pstmt.toString());
494
      pstmt.execute();
494 495
      //increase usageCount!!!!!!
495 496
      //conn.increaseUsageCount(1);
496 497
    }
......
500 501
    }
501 502
    finally
502 503
    {
503
      stmt.close();
504
      pstmt.close();
504 505
      //retrun DBConnection
505 506
      //DBConnectionPool.returnDBConnection(conn,serialNumber);
506 507
    }
src/edu/ucsb/nceas/metacat/DocumentImpl.java
43 43
import java.sql.PreparedStatement;
44 44
import java.sql.ResultSet;
45 45
import java.sql.SQLException;
46
import java.sql.Statement;
47 46
import java.sql.Timestamp;
48 47
import java.util.Calendar;
49 48
import java.util.Date;
......
3420 3419
                                 throws SQLException
3421 3420
    {
3422 3421
      String type = null;
3423
      String sql = "SELECT DOCTYPE FROM xml_documents WHERE docid LIKE " + "'" +
3424
                    docidWithoutRev +"'";
3425
      Statement stmt = null;
3426
      stmt = conn.createStatement();
3427
      ResultSet result = stmt.executeQuery(sql);
3422
      String sql = "SELECT DOCTYPE FROM xml_documents WHERE docid LIKE ?";
3423
      PreparedStatement stmt = null;
3424
      stmt = conn.prepareStatement(sql);
3425
      stmt.setString(1, docidWithoutRev);
3426
      ResultSet result = stmt.executeQuery();
3428 3427
      boolean hasResult = result.next();
3429 3428
      if (hasResult)
3430 3429
      {
src/edu/ucsb/nceas/metacat/DBSAXNode.java
29 29
import java.sql.PreparedStatement;
30 30
import java.sql.ResultSet;
31 31
import java.sql.SQLException;
32
import java.sql.Statement;
33 32
import java.util.Enumeration;
34 33
import java.util.Hashtable;
35 34

  
......
356 355
  /** get next node id from DB connection */
357 356
  private long generateNodeID() throws SAXException {
358 357
      long nid=0;
359
      Statement stmt;
358
      PreparedStatement pstmt;
360 359
      DBConnection dbConn = null;
361 360
      int serialNumber = -1;
362 361
      try {
363 362
        // Get DBConnection
364 363
        dbConn=DBConnectionPool.getDBConnection("DBSAXNode.generateNodeID");
365 364
        serialNumber=dbConn.getCheckOutSerialNumber();
366
        stmt = dbConn.createStatement();
367
        stmt.execute("SELECT xml_nodes_id_seq.nextval FROM dual");
368
        ResultSet rs = stmt.getResultSet();
365
        String sql = "SELECT xml_nodes_id_seq.nextval FROM dual";
366
        pstmt = dbConn.prepareStatement(sql);
367
        pstmt.execute();
368
        ResultSet rs = pstmt.getResultSet();
369 369
        boolean tableHasRows = rs.next();
370 370
        if (tableHasRows) {
371 371
          nid = rs.getLong(1);
372 372
        }
373
        stmt.close();
373
        pstmt.close();
374 374
      } catch (SQLException e) {
375 375
        System.out.println("Error in DBSaxNode.generateNodeID: " +
376 376
                            e.getMessage());
src/edu/ucsb/nceas/metacat/EML201DocumentCorrector.java
1 1
package edu.ucsb.nceas.metacat;
2 2

  
3
import java.sql.Statement;
3
import java.sql.PreparedStatement;
4 4

  
5 5
import org.apache.log4j.Logger;
6 6

  
......
50 50
    	           //checkout the dbconnection
51 51
    	          dbconn = DBConnectionPool.getDBConnection("EML201DocumentCorrector.run");
52 52
    	          serialNumber = dbconn.getCheckOutSerialNumber();
53
    	          Statement deletingStatement = dbconn.createStatement();
53
    	          PreparedStatement deletingStatement = null;
54 54
    	         
55 55
    	          // delete the records in xml_index table 
56 56
    	          String deletingIndex = generateXML_IndexDeletingSQL();
57 57
    	          logMetacat.debug("EML201DocumentCorrector.run - deleting the records in xml_index table with sql: " + deletingIndex);
58
    	          deletingStatement.execute(deletingIndex);
58
    	          deletingStatement = dbconn.prepareStatement(deletingIndex);
59
    	          deletingStatement.execute();
60
    	          deletingStatement.close();
59 61
    	          
60 62
    	          // delete the records in xml_nodes table
61 63
    	          String deletingNode = generateXML_NodeDeletingSQL();
62 64
    	          logMetacat.debug("EML201DocumentCorrector.run - deleting the records in xml_nodes table with sql: " + deletingNode);
63
    	          deletingStatement.execute(deletingNode);
65
    	          deletingStatement = dbconn.prepareStatement(deletingNode);
66
    	          deletingStatement.execute();
67
    	          deletingStatement.close();
64 68
    	          
65 69
    	          // delete the records in xml_nodes_revisions table
66 70
    	          String deletingNodeRevision = generateXML_Node_RevisionsDeletingSQL();
67 71
    	          logMetacat.debug("EML201DocumentCorrector.run - deleting the records in xml_nodes_revisions table with sql: " + deletingNodeRevision);
68
    	          deletingStatement.execute(deletingNodeRevision);
72
    	          deletingStatement = dbconn.prepareStatement(deletingNodeRevision);
73
    	          deletingStatement.execute();
74
    	          deletingStatement.close();
69 75
    	          
70
    	          //close statement and connection
71
    	          deletingStatement.close();
72
    	          //dbconn.close();
73 76
    	          success = true;
74 77
    	      }
75 78
    	        catch (Exception ee)
src/edu/ucsb/nceas/metacat/database/DBConnection.java
411 411
  
412 412
  /**
413 413
   * Method to create a Statement
414
   * @deprecated PreparedStatements are preferred so as to encourage 
415
   * parameter value binding
414 416
   */
415 417
  public Statement createStatement() throws SQLException
416 418
  {
src/edu/ucsb/nceas/metacat/DBSAXHandler.java
27 27

  
28 28
package edu.ucsb.nceas.metacat;
29 29

  
30
import java.sql.PreparedStatement;
30 31
import java.sql.ResultSet;
31 32
import java.sql.Statement;
32 33
import java.util.Date;
......
361 362
                                .getDBConnection("DBSAXHandler.startElement");
362 363
                        serialNumber = dbConn.getCheckOutSerialNumber();
363 364

  
364
                        Statement stmt = dbConn.createStatement();
365
                        ResultSet rs = stmt
366
                                .executeQuery("SELECT catalog_id FROM xml_catalog "
367
                                        + "WHERE entry_type = 'DTD' "
368
                                        + "AND public_id = '" + doctype + "'");
365
                        String sql = "SELECT catalog_id FROM xml_catalog "
366
                            + "WHERE entry_type = 'DTD' "
367
                            + "AND public_id = ?";
368
                        	
369
                        PreparedStatement pstmt = dbConn.prepareStatement(sql);
370
                        pstmt.setString(1, doctype);
371
                        ResultSet rs = pstmt.executeQuery();
369 372
                        boolean hasRow = rs.next();
370 373
                        if (hasRow) {
371 374
                            catalogid = rs.getString(1);
372 375
                        }
373
                        stmt.close();
376
                        pstmt.close();
374 377
                    }//try
375 378
                    finally {
376 379
                        // Return dbconnection
377
                        DBConnectionPool.returnDBConnection(dbConn,
378
                                serialNumber);
380
                        DBConnectionPool.returnDBConnection(dbConn, serialNumber);
379 381
                    }//finally
380 382
                }
381 383

  
src/edu/ucsb/nceas/metacat/DBEntityResolver.java
217 217
                 throws SAXException
218 218
  {
219 219
    String systemid = null;
220
    Statement stmt = null;
220
    PreparedStatement pstmt = null;
221 221
    DBConnection conn = null;
222 222
    int serialNumber = -1;
223 223
    try {
......
225 225
      conn=DBConnectionPool.getDBConnection("DBEntityResolver.getDTDSystemID");
226 226
      serialNumber=conn.getCheckOutSerialNumber();
227 227

  
228
      stmt = conn.createStatement();
229
      stmt.execute("SELECT system_id FROM xml_catalog " +
230
                   "WHERE entry_type = 'DTD' AND public_id = '" +
231
                   doctype + "'");
232
      ResultSet rs = stmt.getResultSet();
228
      String sql = "SELECT system_id FROM xml_catalog " +
229
      "WHERE entry_type = 'DTD' AND public_id = ?";
230
      
231
      pstmt = conn.prepareStatement(sql);
232
      pstmt.setString(1, doctype);
233
      
234
      pstmt.execute();
235
      ResultSet rs = pstmt.getResultSet();
233 236
      boolean tableHasRows = rs.next();
234 237
      if (tableHasRows) {
235 238
        systemid = rs.getString(1);
......
238 241
        	systemid = SystemUtil.getContextURL() + systemid;
239 242
        }
240 243
      }
241
      stmt.close();
244
      pstmt.close();
242 245
    } catch (SQLException e) {
243 246
      throw new SAXException
244 247
      ("DBEntityResolver.getDTDSystemID - SQL error when getting DTD system ID: " + e.getMessage());
......
250 253
    {
251 254
      try
252 255
      {
253
        stmt.close();
256
        pstmt.close();
254 257
      }//try
255 258
      catch (SQLException sqlE)
256 259
      {
src/edu/ucsb/nceas/metacat/Eml200SAXHandler.java
41 41
import java.sql.PreparedStatement;
42 42
import java.sql.ResultSet;
43 43
import java.sql.SQLException;
44
import java.sql.Statement;
45 44
import java.util.Date;
46 45
import java.util.EmptyStackException;
47 46
import java.util.Enumeration;
......
742 741
                                .getDBConnection("DBSAXHandler.startElement");
743 742
                        serialNumber = dbConn.getCheckOutSerialNumber();
744 743

  
745
                        Statement stmt = dbConn.createStatement();
746
                        ResultSet rs = stmt
747
                                .executeQuery("SELECT catalog_id FROM xml_catalog "
748
                                        + "WHERE entry_type = 'Schema' "
749
                                        + "AND public_id = '" + doctype + "'");
744
                        String sql = "SELECT catalog_id FROM xml_catalog "
745
                            + "WHERE entry_type = 'Schema' "
746
                            + "AND public_id = ?";
747
                        PreparedStatement pstmt = dbConn.prepareStatement(sql);
748
                        pstmt.setString(1, doctype);
749
                        ResultSet rs = pstmt.executeQuery();
750 750
                        boolean hasRow = rs.next();
751 751
                        if (hasRow) {
752 752
                            catalogid = rs.getString(1);
753 753
                        }
754
                        stmt.close();
754
                        pstmt.close();
755 755
                        //System.out.println("here!!!!!!!!!!!!!!!!!!2");
756 756
                    }//try
757 757
                    finally {
......
2169 2169
    private void deletePermissionsInAccessTableForDoc(String docid)
2170 2170
            throws SAXException
2171 2171
    {
2172
        Statement stmt = null;
2172
        PreparedStatement pstmt = null;
2173 2173
        try {
2174
        	String sql = "DELETE FROM xml_access WHERE docid = ?";
2174 2175
            // delete all acl records for resources related to @aclid if any
2175
            stmt = connection.createStatement();
2176
            pstmt = connection.prepareStatement(sql);
2177
            pstmt.setString(1, docid);
2176 2178
            // Increase DBConnection usage count
2177 2179
            connection.increaseUsageCount(1);
2178
            stmt.execute("DELETE FROM xml_access WHERE docid = '"
2179
                    + docid + "'");
2180
            pstmt.execute();
2180 2181

  
2181 2182
        } catch (SQLException e) {
2182 2183
            throw new SAXException(e.getMessage());
2183 2184
        } finally {
2184 2185
            try {
2185
                stmt.close();
2186
                pstmt.close();
2186 2187
            } catch (SQLException ee) {
2187 2188
                throw new SAXException(ee.getMessage());
2188 2189
            }
......
2192 2193
    /* Delete access rules from xml_access for a subtee id */
2193 2194
    private void deleteSubtreeAccessRule(String subtreeid) throws SAXException
2194 2195
    {
2195
      Statement stmt = null;
2196
      PreparedStatement pstmt = null;
2196 2197
       try
2197 2198
       {
2198
           stmt = connection.createStatement();
2199
    	   String sql = 
2200
    		   "DELETE FROM xml_access " +
2201
    		   "WHERE accessfileid = ? " +
2202
               "AND subtreeid = ?";
2203
           pstmt = connection.prepareStatement(sql);
2204
           pstmt.setString(1, docid);
2205
           pstmt.setString(2, subtreeid);
2199 2206
           // Increase DBConnection usage count
2200 2207
           connection.increaseUsageCount(1);
2201
           stmt.execute("DELETE FROM xml_access WHERE accessfileid = '"
2202
                   + docid + "' AND subtreeid ='" + subtreeid +"'");
2208
           pstmt.execute();
2203 2209
       }
2204 2210
       catch (SQLException e)
2205 2211
       {
......
2209 2215
       {
2210 2216
           try
2211 2217
           {
2212
               stmt.close();
2218
               pstmt.close();
2213 2219
           }
2214 2220
           catch (SQLException ee)
2215 2221
           {
......
2221 2227

  
2222 2228
    private void deleteAllInlineDataAccessRules() throws SAXException
2223 2229
    {
2224
      Statement stmt = null;
2230
      PreparedStatement pstmt = null;
2225 2231
       try
2226 2232
       {
2227
           stmt = connection.createStatement();
2233
    	   String sql = 
2234
    		   "DELETE FROM xml_access " +
2235
    		   "WHERE accessfileid = ? AND subtreeid IS NOT NULL";
2236
           pstmt = connection.prepareStatement(sql);
2237
           pstmt.setString(1, docid);
2228 2238
           // Increase DBConnection usage count
2229 2239
           connection.increaseUsageCount(1);
2230
           stmt.execute("DELETE FROM xml_access WHERE accessfileid = '"
2231
                   + docid + "' AND subtreeid IS NOT NULL");
2240
           pstmt.execute();
2232 2241
       }
2233 2242
       catch (SQLException e)
2234 2243
       {
......
2238 2247
       {
2239 2248
           try
2240 2249
           {
2241
               stmt.close();
2250
               pstmt.close();
2242 2251
           }
2243 2252
           catch (SQLException ee)
2244 2253
           {
......
2349 2358
    /* Delete every access subtree record from xml_accesssubtree. */
2350 2359
    private void deleteAccessSubTreeRecord(String docId) throws SAXException
2351 2360
    {
2352
        Statement stmt = null;
2361
        PreparedStatement pstmt = null;
2353 2362
        try {
2363
        	String sql = "DELETE FROM xml_accesssubtree WHERE docid = ?";
2354 2364
            // delete all acl records for resources related to @aclid if any
2355
            stmt = connection.createStatement();
2365
            pstmt = connection.prepareStatement(sql);
2366
            pstmt.setString(1, docId);
2356 2367
            // Increase DBConnection usage count
2357 2368
            connection.increaseUsageCount(1);                   
2358
            logMetacat.debug("running sql: DELETE FROM xml_accesssubtree WHERE docid = '"
2359
                    + docId + "'");
2360
            stmt.execute("DELETE FROM xml_accesssubtree WHERE docid = '"
2361
                    + docId + "'");
2369
            logMetacat.debug("running sql: " + sql);
2370
            pstmt.execute();
2362 2371

  
2363 2372
        } catch (SQLException e) {
2364 2373
            throw new SAXException(e.getMessage());
2365 2374
        } finally {
2366 2375
            try {
2367
                stmt.close();
2376
                pstmt.close();
2368 2377
            } catch (SQLException ee) {
2369 2378
                throw new SAXException(ee.getMessage());
2370 2379
            }
src/edu/ucsb/nceas/metacat/Eml210SAXHandler.java
35 35
import java.sql.PreparedStatement;
36 36
import java.sql.ResultSet;
37 37
import java.sql.SQLException;
38
import java.sql.Statement;
39 38
import java.util.Date;
40 39
import java.util.EmptyStackException;
41 40
import java.util.Enumeration;
......
385 384
						dbConn = DBConnectionPool
386 385
								.getDBConnection("DBSAXHandler.startElement");
387 386
						serialNumber = dbConn.getCheckOutSerialNumber();
388

  
389
						Statement stmt = dbConn.createStatement();
390
						ResultSet rs = stmt
391
								.executeQuery("SELECT catalog_id FROM xml_catalog "
392
										+ "WHERE entry_type = 'Schema' "
393
										+ "AND public_id = '" + doctype + "'");
387
						
388
						String sql = "SELECT catalog_id FROM xml_catalog "
389
							+ "WHERE entry_type = 'Schema' "
390
							+ "AND public_id = ?";
391
						PreparedStatement pstmt = dbConn.prepareStatement(sql);
392
						pstmt.setString(1, doctype);
393
						ResultSet rs = pstmt.executeQuery();
394 394
						boolean hasRow = rs.next();
395 395
						if (hasRow) {
396 396
							catalogid = rs.getString(1);
397 397
						}
398
						stmt.close();
398
						pstmt.close();
399 399
					}// try
400 400
					finally {
401 401
						// Return dbconnection
......
1570 1570

  
1571 1571
	/* Delete from db all permission for resources related to @aclid if any. */
1572 1572
	private void deletePermissionsInAccessTable(String aclid) throws SAXException {
1573
		Statement stmt = null;
1573
		PreparedStatement pstmt = null;
1574 1574
		try {
1575
			String sql = "DELETE FROM xml_access WHERE accessfileid = '" + aclid + "'";
1575 1576
			// delete all acl records for resources related to @aclid if any
1576
			stmt = connection.createStatement();
1577
			pstmt = connection.prepareStatement(sql);
1578
			pstmt.setString(1, aclid);
1577 1579
			// Increase DBConnection usage count
1578 1580
			connection.increaseUsageCount(1);
1579
			logMetacat.debug("running sql: DELETE FROM xml_access WHERE accessfileid = '"
1580
					+ aclid + "'");
1581
			stmt.execute("DELETE FROM xml_access WHERE accessfileid = '" + aclid + "'");
1581
			logMetacat.debug("running sql: " + sql);
1582
			pstmt.execute();
1582 1583

  
1583 1584
		} catch (SQLException e) {
1584 1585
			throw new SAXException(e.getMessage());
1585 1586
		} finally {
1586 1587
			try {
1587
				stmt.close();
1588
				pstmt.close();
1588 1589
			} catch (SQLException ee) {
1589 1590
				throw new SAXException(ee.getMessage());
1590 1591
			}
......
1648 1649

  
1649 1650
	/* Delete every access subtree record from xml_accesssubtree. */
1650 1651
	private void deleteAccessSubTreeRecord(String docId) throws SAXException {
1651
		Statement stmt = null;
1652
		PreparedStatement pstmt = null;
1652 1653
		try {
1654
			String sql = "DELETE FROM xml_accesssubtree WHERE docid = ?";
1653 1655
			// delete all acl records for resources related to @aclid if any
1654
			stmt = connection.createStatement();
1656
			pstmt = connection.prepareStatement(sql);
1657
			pstmt.setString(1, docId);
1655 1658
			// Increase DBConnection usage count
1656 1659
			connection.increaseUsageCount(1);
1657
			logMetacat.debug("running sql: DELETE FROM xml_accesssubtree WHERE docid = '"
1658
					+ docId + "'");
1659
			stmt.execute("DELETE FROM xml_accesssubtree WHERE docid = '" + docId + "'");
1660
			logMetacat.debug("running sql: " + sql);
1661
			pstmt.execute();
1660 1662

  
1661 1663
		} catch (SQLException e) {
1662 1664
			throw new SAXException(e.getMessage());
1663 1665
		} finally {
1664 1666
			try {
1665
				stmt.close();
1667
				pstmt.close();
1666 1668
			} catch (SQLException ee) {
1667 1669
				throw new SAXException(ee.getMessage());
1668 1670
			}

Also available in: Unified diff