[16457] Fix trace by using prepared statement

b1e1cd7a · Marco Descher · 437fa1cf · b1e1cd7a
Commit b1e1cd7a authored Sep 24, 2019 by Marco Descher 🏔
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 7 deletions

bundles/ch.elexis.core.data/src/ch/elexis/data/Trace.java bundles/ch.elexis.core.data/src/ch/elexis/data/Trace.java +16 -7

No files found.
--- a/bundles/ch.elexis.core.data/src/ch/elexis/data/Trace.java
+++ b/bundles/ch.elexis.core.data/src/ch/elexis/data/Trace.java
 package ch.elexis.data;

+import java.sql.PreparedStatement;
+import java.sql.SQLException;
+
 import org.apache.commons.lang.StringUtils;
+import org.slf4j.LoggerFactory;

 import ch.elexis.core.data.events.ElexisEventDispatcher;
 import ch.rgw.tools.JdbcLink;
-import ch.rgw.tools.JdbcLink.Stm;
 import ch.rgw.tools.net.NetTool;

 /**
@@ -32,14 +35,20 @@ public class Trace {
 		String _action = (StringUtils.isEmpty(action)) ? "" : action;
 		
 		JdbcLink connection = PersistentObject.getConnection();
-		Stm statement = connection.getStatement();
+		
+		String insertStatement = "INSERT INTO " + TABLENAME + " VALUES(?, ?, ?, ?)";
+		
+		PreparedStatement statement = connection.getPreparedStatement(insertStatement);
 		try {
-			statement.exec("INSERT INTO " + TABLENAME + " VALUES("
-				+ Long.toString(System.currentTimeMillis()) + ", "
-				+ connection.wrapFlavored(_workstation) + ", " + connection.wrapFlavored(_username)
-				+ ", " + connection.wrapFlavored(_action) + ")");
+			statement.setString(1, Long.toString(System.currentTimeMillis()));
+			statement.setString(2, _workstation);
+			statement.setString(3, _username);
+			statement.setString(4, _action);
+			statement.execute();
+		} catch (SQLException e) {
+			LoggerFactory.getLogger(Trace.class).error("Catched this - FIX IT", e);
 		} finally {
-			connection.releaseStatement(statement);
+			connection.releasePreparedStatement(statement);
 		}
 	}