SqlIdentifierParameterSource now sanitizes identifier names

IAM20 · IAM20 · commit 13fd49a79e10 · 2023-03-23T12:06:12.000+09:00
diff --git a/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/convert/SqlGenerator.java b/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/convert/SqlGenerator.java
@@ -29,7 +29,6 @@
 import java.util.Set;
 import java.util.TreeSet;
 import java.util.function.Function;
-import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -88,6 +87,7 @@
 import org.springframework.util.Assert;
 
 import com.navercorp.spring.data.jdbc.plus.sql.annotation.SqlFunction;
+import com.navercorp.spring.data.jdbc.plus.sql.parametersource.BindParameterNameSanitizer;
 
 /**
  * Generates SQL statements to be used by {@link org.springframework.data.jdbc.repository.support.SimpleJdbcRepository}
@@ -113,8 +113,6 @@ class SqlGenerator {
 	static final SqlIdentifier IDS_SQL_PARAMETER = SqlIdentifier.unquoted("ids");
 	static final SqlIdentifier ROOT_ID_PARAMETER = SqlIdentifier.unquoted("rootId");
 
-	private static final Pattern parameterPattern = Pattern.compile("\\W");
-
 	private final RelationalPersistentEntity<?> entity;
 	private final MappingContext<RelationalPersistentEntity<?>, RelationalPersistentProperty> mappingContext;
 	private final RenderContext renderContext;
@@ -236,7 +234,7 @@ private Condition getSubselectCondition(PersistentPropertyPathExtension path,
 	}
 
 	private BindMarker getBindMarker(SqlIdentifier columnName) {
-		return SQL.bindMarker(":" + parameterPattern.matcher(renderReference(columnName)).replaceAll(""));
+		return SQL.bindMarker(":" + BindParameterNameSanitizer.sanitize(renderReference(columnName)));
 	}
 
 	/**
@@ -887,7 +885,7 @@ private String createUpdateWithVersionSql() {
 
 		Update update = createBaseUpdate() //
 			.and(getVersionColumn().isEqualTo(
-				SQL.bindMarker(":" + renderReference(VERSION_SQL_PARAMETER)))) //
+				getBindMarker(VERSION_SQL_PARAMETER))) //
 			.build();
 
 		return render(update);
@@ -950,7 +948,7 @@ private String createDeleteByIdAndVersionSql() {
 
 		Delete delete = createBaseDeleteById(getDmlTable()) //
 			.and(getVersionColumn().isEqualTo(
-				SQL.bindMarker(":" + renderReference(VERSION_SQL_PARAMETER)))) //
+				getBindMarker(VERSION_SQL_PARAMETER))) //
 			.build();
 
 		return render(delete);
@@ -959,13 +957,13 @@ private String createDeleteByIdAndVersionSql() {
 	private DeleteBuilder.DeleteWhereAndOr createBaseDeleteById(Table table) {
 		return Delete.builder().from(table)
 			.where(getIdColumn().isEqualTo(
-				SQL.bindMarker(":" + renderReference(ID_SQL_PARAMETER))));
+				getBindMarker(ID_SQL_PARAMETER)));
 	}
 
 	private DeleteBuilder.DeleteWhereAndOr createBaseDeleteByIdIn(Table table) {
 
 		return Delete.builder().from(table)
-			.where(getIdColumn().in(SQL.bindMarker(":" + renderReference(IDS_SQL_PARAMETER))));
+			.where(getIdColumn().in(getBindMarker(IDS_SQL_PARAMETER)));
 	}
 
 	private String createDeleteByPathAndCriteria(PersistentPropertyPathExtension path,
diff --git a/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/parametersource/BindParameterNameSanitizer.java b/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/parametersource/BindParameterNameSanitizer.java
@@ -0,0 +1,21 @@
+package com.navercorp.spring.data.jdbc.plus.sql.parametersource;
+
+import java.util.regex.Pattern;
+
+/**
+ * Sanitizes the name of bind parameters, so they don't contain any illegal characters.
+ *
+ * @author Jens Schauder
+ *
+ * @since 3.0.2
+ *
+ * COPY: org.springframework.data.jdbc.core.convert.BindParameterNameSanitizer
+ */
+public abstract class BindParameterNameSanitizer {
+
+	private static final Pattern parameterPattern = Pattern.compile("\\W");
+
+	public static String sanitize(String rawName) {
+		return parameterPattern.matcher(rawName).replaceAll("");
+	}
+}
diff --git a/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/parametersource/SqlIdentifierParameterSource.java b/spring-data-jdbc-plus-sql/src/main/java/com/navercorp/spring/data/jdbc/plus/sql/parametersource/SqlIdentifierParameterSource.java
@@ -74,7 +74,7 @@ void addValue(SqlIdentifier name, Object value) {
 	void addValue(SqlIdentifier identifier, Object value, int sqlType) {
 
 		identifiers.add(identifier);
-		String name = identifier.getReference(identifierProcessing);
+		String name = BindParameterNameSanitizer.sanitize(identifier.getReference(identifierProcessing));
 		namesToValues.put(name, value);
 		registerSqlType(name, sqlType);
 	}

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ void addValue(SqlIdentifier name, Object value) {`
`74`	`74`	`void addValue(SqlIdentifier identifier, Object value, int sqlType) {`
`75`	`75`
`76`	`76`	`identifiers.add(identifier);`
`77`		`- String name = identifier.getReference(identifierProcessing);`
	`77`	`+ String name = BindParameterNameSanitizer.sanitize(identifier.getReference(identifierProcessing));`
`78`	`78`	`namesToValues.put(name, value);`
`79`	`79`	`registerSqlType(name, sqlType);`
`80`	`80`	`}`