From 11eff2e84d7d68c7a55d2543f395e05aaa6b7995 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Sun, 10 Aug 2025 03:06:48 +0000
Subject: [PATCH] Refactored to use parameterized SQL APIs

---
 .../src/main/java/ai/chat2db/spi/sql/SQLExecutor.java     | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/chat2db-server/chat2db-spi/src/main/java/ai/chat2db/spi/sql/SQLExecutor.java b/chat2db-server/chat2db-spi/src/main/java/ai/chat2db/spi/sql/SQLExecutor.java
index e51181743..84f6b17b7 100644
--- a/chat2db-server/chat2db-spi/src/main/java/ai/chat2db/spi/sql/SQLExecutor.java
+++ b/chat2db-server/chat2db-spi/src/main/java/ai/chat2db/spi/sql/SQLExecutor.java
@@ -2,6 +2,7 @@
 
 import java.sql.Connection;
 import java.sql.DatabaseMetaData;
+import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.ResultSetMetaData;
 import java.sql.SQLException;
@@ -418,9 +419,10 @@ public List<Table> tables(Connection connection, String databaseName, String sch
                 List<Table> tables = ResultSetUtils.toObjectList(resultSet, Table.class);
                 if (CollectionUtils.isNotEmpty(tables)) {
                     for (Table table : tables) {
-                        String sql = "show table status where name = '" + table.getName() + "'";
-                        try (Statement stmt = connection.createStatement()) {
-                            boolean query = stmt.execute(sql);
+                        String sql = "show table status where name = ?";
+                        try (PreparedStatement stmt = connection.prepareStatement(sql)) {
+                            stmt.setString(1, table.getName());
+                            boolean query = stmt.execute();
                             if (query) {
                                 try (ResultSet rs = stmt.getResultSet();) {
                                     while (rs.next()) {