Currently, we build the SQL queries in ApprovalSessionBean by appending to a StringBuilder.
This is very error-prone. We should rewrite the code to use prepared statements instead.
This is a large refactoring. Each bullet point below is a class/method that requires a change.
Queries are done by:
- query (which takes a Query object, see below)
These methods then call
- which then calls findByCustomQuery
The Query objects currently have a "getQueryString" method. We should add a new method "getPreparedStatement" in these classes:
Since a prepared statement consists of two values
1. a query string with ? for values
2. a list of values
we can not simply use a string passing around this information, we need some kind of wrapper class.
As follow up tickets we should do the same for EndEntityAccessSessionBean.query(), the "AuthorizationString" methods in RAAuthorization etc.