JDBCSessionIdManager should use PreparedStatement

[jmcc0nn3ll]

migrated from Bugzilla #407045
status ASSIGNED severity enhancement in component server for 9.0.x
Reported in version 9.0.2 on platform PC
Assigned to: Jan Bartel

On 2013-05-02 03:22:03 -0400, Oliver Z wrote:

JDBCSessionIdManager.java:1040 and JDBCSessionIdManager:1042

            Statement statement = con.createStatement();
            //take them out of the sessionIds table
            statement.executeUpdate(fillInClause("delete from "+_sessionIdTable+" where id in ", ids, start, end));
            //take them out of the sessions table
            statement.executeUpdate(fillInClause("delete from "+_sessionTable+" where sessionId in ", ids, start, end));
            block++;

This should be a preparet statement.

On 2013-05-02 03:42:38 -0400, Jan Bartel wrote:

Oliver,

I've edited the title of this bug, as it makes it sound as if jetty is using input that comes from a user on a browser to determine which sessions should be deleted, which might mislead some people.

Jan

On 2013-05-02 04:10:58 -0400, Jan Bartel wrote:

Recategorizing as enhancement.

See also https://bugs.eclipse.org/bugs/show_bug.cgi?id=404068

On 2013-05-02 20:36:55 -0400, Jan Bartel wrote:

Just an observation, but it appears from googling this that it is going to be difficult to find a solution that uses PreparedStatements with an sql IN clause, particularly as the number of args to the IN clause can vary.

eg, see http://www.javaranch.com/journal/200510/Journal200510.jsp#a2

[janbartel]

With jetty-9.4 the session architecture has been substantially rewritten. The JDBCSessionIdManager no longer exists, and thus these particular queries no longer exist either.

Closing this issue.