tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bip Thelin <bip.the...@sf.razorfish.com>
Subject [PATCH] make JDBCRealm handle special characters
Date Thu, 15 Jun 2000 23:49:43 GMT
This is a patch for src/share/org/apache/tomcat/request/JDBCRealm.java
so it can handle special characters.

	..bip
____________________________________________________________________________________________

--- JDBCRealm.java.orig	Fri Jun 16 01:38:12 2000
+++ JDBCRealm.java	Fri Jun 16 01:41:04 2000
@@ -90,6 +90,7 @@
  *
  * @author Craig R. McClanahan
  * @author Carson McDonald
+ * @author Bip Thelin
  *
  */
 
@@ -276,17 +277,24 @@
             }
           }
 
-          Statement statement = dbConnection.createStatement();
-
           if( debug > 1 ) {
              log( "JDBCRealm.authenticate: SELECT " + userCredCol +
                   " FROM " + userTable +
                   " WHERE " + userNameCol + " = '" + username + "'" );
           }
 
-          ResultSet rs = statement.executeQuery( "SELECT " + userCredCol +
-               " FROM " + userTable +
-               " WHERE " + userNameCol + " = '" + username + "'" );
+          PreparedStatement statement = dbConnection.prepareStatement("SELECT " +
+userCredCol +
+                                                                      " FROM " +
+userTable +
+                                                                      " WHERE " +
+userNameCol +
+                                                                      " = ?");
+
+          statement.clearParameters();
+          statement.setString(1, username);
+
+          ResultSet rs = statement.executeQuery();
 
           // If we found a user by this name check the credentials
           if( rs.next() ) {
@@ -325,17 +333,22 @@
             }
           }
 
-          Statement statement = dbConnection.createStatement();
-
           if( debug > 1 ) {
               log( "jdbcRealm.getUserRoles: SELECT 1 FROM " + userRoleTable +
                    " WHERE " + userNameCol + " = '" + username +"'" );
           }
 
-          ResultSet rs = statement.executeQuery( "SELECT "+roleNameCol+" FROM " +
-userRoleTable +
-                                                 " WHERE " + userNameCol + " = '" +
-username +"'" );
+          PreparedStatement statement = dbConnection.prepareStatement("SELECT
+"+roleNameCol+
+                                                                      " FROM
+"+userRoleTable+
+                                                                      " WHERE
+"+userNameCol+
+                                                                      " = ?");
+          statement.clearParameters();
+          statement.setString(1, username);
+
+          ResultSet rs = statement.executeQuery();
           // Next we convert the resultset into a String[]
               Vector vrol=new Vector();
               while (rs.next()) {

Mime
View raw message