JDBC datastrore initialization should use prepared statements

Description

When Geotools initializes a feature backed by a jdbc datastore, it needs to load metadata regarding the features. These queries are done by concatenating string variables to otherwise fixed SQL queries. This is both dangerous and slow. The strings may contain control characters that affect the query and the database needs to create a new execution plan for each query even though the basic query is fixed. Using prepared statements and injecting parameters via PreparedStatement.setString() fixes both issues.

Environment

GeoServer with tens of featuretypes backed by multiple oracle datastores

Assignee

Unassigned

Reporter

Sampo Savolainen

Triage

None

Components

Fix versions

Priority

Low
Configure