From b7d37deb85aa80f8cc19755082da682c99c9600c Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Tue, 9 Jul 2024 21:18:32 +0100 Subject: [PATCH] Refactored to use parameterized SQL APIs (#1545) Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com> --- .../config/security/database/DatabaseBackupHelper.java | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/main/java/stirling/software/SPDF/config/security/database/DatabaseBackupHelper.java b/src/main/java/stirling/software/SPDF/config/security/database/DatabaseBackupHelper.java index 026a96843..0cf1e612d 100644 --- a/src/main/java/stirling/software/SPDF/config/security/database/DatabaseBackupHelper.java +++ b/src/main/java/stirling/software/SPDF/config/security/database/DatabaseBackupHelper.java @@ -8,6 +8,7 @@ import java.nio.file.Paths; import java.nio.file.attribute.BasicFileAttributes; import java.sql.Connection; import java.sql.DriverManager; +import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; @@ -131,11 +132,12 @@ public class DatabaseBackupHelper implements DatabaseBackupInterface { DateTimeFormatter myFormatObj = DateTimeFormatter.ofPattern("yyyyMMddHHmm"); Path insertOutputFilePath = this.getBackupFilePath("backup_" + dateNow.format(myFormatObj) + ".sql"); - String query = "SCRIPT SIMPLE COLUMNS DROP to '" + insertOutputFilePath.toString() + "';"; + String query = "SCRIPT SIMPLE COLUMNS DROP to ?;"; try (Connection conn = DriverManager.getConnection(url, "sa", ""); - Statement stmt = conn.createStatement()) { - stmt.execute(query); + PreparedStatement stmt = conn.prepareStatement(query)) { + stmt.setString(1, insertOutputFilePath.toString()); + stmt.execute(); log.info("Database export completed: {}", insertOutputFilePath); } catch (SQLException e) { log.error("Error during database export: {}", e.getMessage(), e);