use prepared statement instead of string interpolation

2014-03-27 12:41:30 -07:00 · 2014-03-27 12:41:30 -07:00 · 6e18ff7ed4
parent e0ff2aa0d6
commit 6e18ff7ed4
1 changed files with 8 additions and 6 deletions
--- a/server/src/main/java/io/druid/db/DatabaseRuleManager.java
+++ b/server/src/main/java/io/druid/db/DatabaseRuleManager.java
@ -74,13 +74,15 @@ public class DatabaseRuleManager
            @Override
            public Void withHandle(Handle handle) throws Exception
            {
-              List<Map<String, Object>> existing = handle.select(
-                  String.format(
-                      "SELECT id from %s where datasource='%s';",
-                      ruleTable,
-                      defaultTier
+              List<Map<String, Object>> existing = handle
+                  .createQuery(
+                      String.format(
+                          "SELECT id from %s where datasource=:dataSource;",
+                          ruleTable
+                      )
                  )
-              );
+                  .bind("dataSource", defaultTier)
+                  .list();

              if (!existing.isEmpty()) {
                return null;