> I think this can be achieved by changing the way in wich the parameters
are
> set in the statement.
>
> For example in ObjectNode retrieveObject(Uri uri) calls
>
> Statement statement = null;
>
> try {
>
> statement = connection.createStatement();
> String s = "select * from objects where uri='" + uri + "'";
>
> statement.execute(s);
> ResultSet res = statement.getResultSet();
>
>
> This could be replaced with
>
> PreparedStatement statement = null;
>
> try {
>
> statement = connection.prepareStatement("select * from objects
> where uri = ? ");
>
> statement.setString(1, URI);
>
> ResultSet res = statement.executeQuery();
>
> If the common concensus is that this is the correct approach I'll go
through
> both JDBCDescriptorsStore and replace the statements with prepared
> statements.
Sure, that's a good solution to solve the problem.
> I just had a quick look at JDBCContentStore and it uses prepared
statements.
Yes, I thought it would be a better way to implement it using prepared
statements, but I didn't go back and rewrite the descriptors store.
Remy
