From c63b295d153b7de9c054005f058920c47575f3d4 Mon Sep 17 00:00:00 2001
From: "mingzhi.zhang" <mingzhi.zhang@jiduauto.com>
Date: Mon, 9 Oct 2023 14:48:44 +0800
Subject: [PATCH] bgfix sql injection

---
 .../broker/transaction/jdbc/JDBCTransactionStore.java       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rocketmq/broker/src/main/java/org/apache/rocketmq/broker/transaction/jdbc/JDBCTransactionStore.java b/rocketmq/broker/src/main/java/org/apache/rocketmq/broker/transaction/jdbc/JDBCTransactionStore.java
index 056d939..f3c5b67 100644
--- a/rocketmq/broker/src/main/java/org/apache/rocketmq/broker/transaction/jdbc/JDBCTransactionStore.java
+++ b/rocketmq/broker/src/main/java/org/apache/rocketmq/broker/transaction/jdbc/JDBCTransactionStore.java
@@ -119,12 +119,12 @@ private boolean computeTotalRecords() {
     }
 
     private boolean createDB() {
-        Statement statement = null;
+        PreparedStatement statement = null;
         try {
-            statement = this.connection.createStatement();
-
             String sql = this.createTableSql();
             log.info("createDB SQL:\n {}", sql);
+
+            statement = this.connection.prepareStatement(sql);
             statement.execute(sql);
             this.connection.commit();
             return true;