From 4731e0822a3207a2189013fd56dd1058a0cd5b6e Mon Sep 17 00:00:00 2001
From: "U-BASIS\\dgrove" <dgrove@WIN-DGROV-4999.basistech.net>
Date: Thu, 20 Dec 2018 12:36:21 -0500
Subject: [PATCH] Using prepared statements for 'setImagePaths()'.

---
 .../sleuthkit/datamodel/SleuthkitCase.java    | 21 +++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/bindings/java/src/org/sleuthkit/datamodel/SleuthkitCase.java b/bindings/java/src/org/sleuthkit/datamodel/SleuthkitCase.java
index 26b03017a..6e6bcd2cf 100644
--- a/bindings/java/src/org/sleuthkit/datamodel/SleuthkitCase.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/SleuthkitCase.java
@@ -6968,20 +6968,26 @@ public List<Image> getImages() throws TskCoreException {
 	public void setImagePaths(long obj_id, List<String> paths) throws TskCoreException {
 		CaseDbConnection connection = connections.getConnection();
 		acquireSingleUserCaseWriteLock();
-		Statement statement = null;
+		PreparedStatement statement = null;
 		try {
 			connection.beginTransaction();
-			statement = connection.createStatement();
-			connection.executeUpdate(statement, "DELETE FROM tsk_image_names WHERE obj_id = " + obj_id); //NON-NLS
+			statement = connection.getPreparedStatement(PREPARED_STATEMENT.DELETE_IMAGE_NAME);
+			statement.clearParameters();
+			statement.setLong(1, obj_id);
+			connection.executeUpdate(statement);
 			for (int i = 0; i < paths.size(); i++) {
-				connection.executeUpdate(statement, "INSERT INTO tsk_image_names VALUES (" + obj_id + ", '" + paths.get(i) + "', " + i + ")"); //NON-NLS
+				statement = connection.getPreparedStatement(PREPARED_STATEMENT.INSERT_IMAGE_NAME);
+				statement.clearParameters();
+				statement.setLong(1, obj_id);
+				statement.setString(2, paths.get(i));
+				statement.setLong(3, i);
+				connection.executeUpdate(statement);
 			}
 			connection.commitTransaction();
 		} catch (SQLException ex) {
 			connection.rollbackTransaction();
 			throw new TskCoreException("Error updating image paths.", ex);
 		} finally {
-			closeStatement(statement);
 			connection.close();
 			releaseSingleUserCaseWriteLock();
 		}
@@ -9700,7 +9706,10 @@ private enum PREPARED_STATEMENT {
 		SELECT_EXAMINER_BY_ID("SELECT * FROM tsk_examiners WHERE examiner_id = ?"),
 		SELECT_EXAMINER_BY_LOGIN_NAME("SELECT * FROM tsk_examiners WHERE login_name = ?"),
 		UPDATE_FILE_NAME("UPDATE tsk_files SET name = ? WHERE obj_id = ?"),
-		UPDATE_IMAGE_NAME("UPDATE tsk_image_info SET display_name = ? WHERE obj_id = ?");
+		UPDATE_IMAGE_NAME("UPDATE tsk_image_info SET display_name = ? WHERE obj_id = ?"),
+		DELETE_IMAGE_NAME("DELETE FROM tsk_image_names WHERE obj_id = ?"),
+		INSERT_IMAGE_NAME("INSERT INTO tsk_image_names (obj_id, name, sequence) VALUES (?, ?, ?)");
+		
 		private final String sql;
 
 		private PREPARED_STATEMENT(String sql) {
-- 
GitLab