Uploaded image for project: 'Isis'
  1. Isis
  2. ISIS-10

Properly use prepared statements instead of injecting values into "insert" and "update" SQL statements

    XMLWordPrintableJSON

    Details

      Description

      At the moment, all "insert" and "update" commands use a fully formed SQL string with embedded values:
      "insert into SQLDATACLASS (PK_ID, color,date_time) values (2252, '0','2010-03-05 22:23:000000')".

      This should be updated to "insert into SQLDATACLASS (PK_ID, color,date_time) values (?,?,?)".

      This should also solve issues with quoting values such as (especially affecting DB2) quoting integer, float, etc, non-string values. DB2 is throwing an exception when integers and floats are quoted ('1') instead of (1).

        Attachments

          Activity

            People

            • Assignee:
              kevin-m Kevin Meyer
              Reporter:
              kevin-m Kevin Meyer
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 168h
                168h
                Remaining:
                Time Spent - 12h Remaining Estimate - 40h
                40h
                Logged:
                Time Spent - 12h Remaining Estimate - 40h Time Not Required
                12h