I think this can be achieved by changing the way in wich the parameters are
set in the statement.
For example in ObjectNode retrieveObject(Uri uri) calls
Statement statement = null;
try {
statement = connection.createStatement();
String s = "select * from objects where uri='" + uri + "'";
statement.execute(s);
ResultSet res = statement.getResultSet();
This could be replaced with
PreparedStatement statement = null;
try {
statement = connection.prepareStatement("select * from objects
where uri = ? ");
statement.setString(1, URI);
ResultSet res = statement.executeQuery();
If the common concensus is that this is the correct approach I'll go through
both JDBCDescriptorsStore and replace the statements with prepared
statements.
I just had a quick look at JDBCContentStore and it uses prepared statements.
k.
