From 75d050444a2e10b1487ba9dc428b1bcca8ed2f63 Mon Sep 17 00:00:00 2001
From: Sam Ottenhoff <ottenhoff@longsight.com>
Date: Thu, 12 Mar 2015 13:26:24 -0400
Subject: [PATCH] SAM-2492 need to refer to MySQL table name in correct case
 and fix parametized JDBC insert

---
 .../facade/QuestionPoolFacadeQueries.java      | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/samigo/samigo-services/src/java/org/sakaiproject/tool/assessment/facade/QuestionPoolFacadeQueries.java b/samigo/samigo-services/src/java/org/sakaiproject/tool/assessment/facade/QuestionPoolFacadeQueries.java
index 5ee5777a4fd4..eb91e62c0700 100644
--- a/samigo/samigo-services/src/java/org/sakaiproject/tool/assessment/facade/QuestionPoolFacadeQueries.java
+++ b/samigo/samigo-services/src/java/org/sakaiproject/tool/assessment/facade/QuestionPoolFacadeQueries.java
@@ -1597,13 +1597,16 @@ public void transferPoolsOwnership(String ownerId, final List<Long> transferPool
                   boolean autoCommit = conn.getAutoCommit();
   		  String query = "";
   		  if (!"".equals(updateOwnerIdInPoolTableQueryString)) {
-  			  query = "UPDATE sam_questionpoolaccess_t SET agentid = '" + ownerId +"' WHERE questionpoolid IN (" + updateOwnerIdInPoolTableQueryString + ")" + 
-  					  " AND accesstypeid = 34";					 
+  			  query = "UPDATE SAM_QUESTIONPOOLACCESS_T SET agentid = ? WHERE questionpoolid IN (?) AND accesstypeid = 34";
   			  statement = conn.prepareStatement(query);
+  			  statement.setString(1, ownerId);
+  			  statement.setString(2, updateOwnerIdInPoolTableQueryString);
   			  statement.executeUpdate();
   			  
-  			  query = "UPDATE sam_questionpool_t SET ownerid = '" + ownerId + "' WHERE questionpoolid IN (" + updateOwnerIdInPoolTableQueryString + ")";
+  			  query = "UPDATE SAM_QUESTIONPOOL_T SET ownerid = ? WHERE questionpoolid IN (?)";
 			  statement = conn.prepareStatement(query);
+  			  statement.setString(1, ownerId);
+  			  statement.setString(2, updateOwnerIdInPoolTableQueryString);
 			  statement.executeUpdate();
                           
                           if (!autoCommit) {
@@ -1613,8 +1616,9 @@ public void transferPoolsOwnership(String ownerId, final List<Long> transferPool
   
   		  // if the pool has parent but the parent doesn't transfer, need to remove the child-parent relationship.
   		  if (!"".equals(removeParentPoolString)) {
-  			  query = "UPDATE sam_questionpool_t SET parentpoolid = " + 0 + " WHERE questionpoolid IN (" + removeParentPoolString + ")";
+  			  query = "UPDATE SAM_QUESTIONPOOL_T SET parentpoolid = 0 WHERE questionpoolid IN (?)";
   			  statement = conn.prepareStatement(query);
+  			  statement.setString(1, removeParentPoolString);
   			  statement.executeUpdate();	
                           
                           if (!autoCommit) {
@@ -1628,7 +1632,7 @@ public void transferPoolsOwnership(String ownerId, final List<Long> transferPool
 			  try {
 				  statement.close();
 			  } catch (Exception ex) {
-				  ex.printStackTrace();
+				  log.warn("Could not close statement", ex);
 			  }
 		  }
   		  
@@ -1636,7 +1640,7 @@ public void transferPoolsOwnership(String ownerId, final List<Long> transferPool
 			  try {
 				  conn.close();
 			  } catch (Exception ex) {
-				  ex.printStackTrace();
+				  log.warn("Could not close conn", ex);
 			  }
 		  }
   		  
@@ -1644,7 +1648,7 @@ public void transferPoolsOwnership(String ownerId, final List<Long> transferPool
   			  try {
   				  session.close();
 			  } catch (Exception ex) {
-				  ex.printStackTrace();
+				  log.warn("Could not close session", ex);
 			  }
   		  }
   	  }