CSPACE-5943: For simple cases where we just want to populate a prepared statement...

diff --git a/services/common/src/main/java/org/collectionspace/services/common/storage/PreparedStatementBuilder.java b/services/common/src/main/java/org/collectionspace/services/common/storage/PreparedStatementBuilder.java
index 7b8f09d6731ea0e83d9baad4cb9ef5396c2c915a..e99d704043335823ef8923f326b6a977da79ca9f 100644 (file)
--- a/services/common/src/main/java/org/collectionspace/services/common/storage/PreparedStatementBuilder.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/storage/PreparedStatementBuilder.java
@@ -1,11 +1,11 @@
-package org.collectionspace.services.common.storage;
-
-import java.sql.Connection;
-import java.sql.PreparedStatement;
 /**
  * Per http://stackoverflow.com/a/7127189
  */
 
+package org.collectionspace.services.common.storage;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
 import java.sql.SQLException;
 
 public class PreparedStatementBuilder

diff --git a/services/common/src/main/java/org/collectionspace/services/common/storage/PreparedStatementSimpleBuilder.java b/services/common/src/main/java/org/collectionspace/services/common/storage/PreparedStatementSimpleBuilder.java
new file mode 100644 (file)
index 0000000..a71f9ec
--- /dev/null
+++ b/services/common/src/main/java/org/collectionspace/services/common/storage/PreparedStatementSimpleBuilder.java
@@ -0,0 +1,25 @@
+package org.collectionspace.services.common.storage;
+
+import java.sql.PreparedStatement;
+import java.sql.SQLException;
+import java.util.List;
+
+public class PreparedStatementSimpleBuilder extends PreparedStatementBuilder {
+
+    private List<String> params;
+
+    public PreparedStatementSimpleBuilder(final String sql, final List<String> params) {
+        super(sql);
+        this.params = params;
+    }
+
+    @Override
+    protected void preparePrepared(final PreparedStatement preparedStatement)
+            throws SQLException {
+        int i = 0;
+        for (String param : params) {
+            i++;
+            preparedStatement.setString(i, param);
+        }
+    }
+}
\ No newline at end of file

diff --git a/services/common/src/main/java/org/collectionspace/services/nuxeo/client/java/RepositoryJavaClientImpl.java b/services/common/src/main/java/org/collectionspace/services/nuxeo/client/java/RepositoryJavaClientImpl.java
index a4be744c9dc3ce8c38c6a56eb3acde5a86167d7c..de39486aadaec4d8d39bbc4b0a3a15619692f751 100644 (file)
--- a/services/common/src/main/java/org/collectionspace/services/nuxeo/client/java/RepositoryJavaClientImpl.java
+++ b/services/common/src/main/java/org/collectionspace/services/nuxeo/client/java/RepositoryJavaClientImpl.java
@@ -43,7 +43,7 @@ import org.collectionspace.services.common.context.ServiceContext;
 import org.collectionspace.services.common.query.QueryContext;
 import org.collectionspace.services.common.repository.RepositoryClient;
 import org.collectionspace.services.common.storage.JDBCTools;
-import org.collectionspace.services.common.storage.PreparedStatementBuilder;
+import org.collectionspace.services.common.storage.PreparedStatementSimpleBuilder;
 import org.collectionspace.services.lifecycle.TransitionDef;
 import org.collectionspace.services.nuxeo.util.NuxeoUtils;
 
@@ -919,6 +919,13 @@ public class RepositoryJavaClientImpl implements RepositoryClient<PoxPayloadIn,
         
         MultivaluedMap<String, String> queryParams = ctx.getQueryParams();
         final String partialTerm = queryParams.getFirst(IQueryManager.SEARCH_TYPE_PARTIALTERM);
+        
+        // FIXME: Look into whether this performance concern specific to query
+        // planning with prepared statements may be affecting us:
+        // http://stackoverflow.com/a/678452
+        // If that proves to be a significant concern, we can instead use
+        // JDBCTools.executeQuery(), and attempt to sanitize user input
+        // against potential SQL injection attacks.
 
         // FIXME: Replace this placeholder query with an actual query resulting
         // from CSPACE-5945 work
@@ -955,16 +962,12 @@ public class RepositoryJavaClientImpl implements RepositoryClient<PoxPayloadIn,
         // FIXME: We might also consider skipping the JOIN on the common schema table
         // in the '_ALL_' case, where we are not restricting by inAuthority value
         
-        PreparedStatementBuilder jdbcFilterBuilder = new PreparedStatementBuilder(sql){
-            @Override
-            protected void preparePrepared(PreparedStatement preparedStatement)
-                throws SQLException
-            {
-                preparedStatement.setString(1, partialTerm + JDBCTools.SQL_WILDCARD);
-            }};
-
+        List<String> params = new ArrayList<>();
+        params.add(partialTerm + JDBCTools.SQL_WILDCARD);
+        PreparedStatementSimpleBuilder jdbcFilterQueryBuilder = new PreparedStatementSimpleBuilder(sql, params);
+        
         List<String> docIds = new ArrayList<>();
-        try (CachedRowSet crs = JDBCTools.executePreparedQuery(jdbcFilterBuilder,
+        try (CachedRowSet crs = JDBCTools.executePreparedQuery(jdbcFilterQueryBuilder,
                 dataSourceName, repositoryName, sql)) {
 
             // If the response to the query is null or contains zero rows,