root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add support for MySQL backticks 

This commit makes sure that content within backticks are skipped
when parsing a SQL statement using NamedParameterUtils. This harmonizes
the current behavior of ignoring special characters that are wrapped
in backticks.

Closes gh-31944
This commit is contained in:
Stéphane Nicoll 2024-01-05 10:25:56 +01:00
parent e73bbd4ad3
commit 2fc8b13dd5
2 changed files with 22 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
spring-jdbc/src/main/java/org/springframework/jdbc/core/namedparam/NamedParameterUtils.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2023 the original author or authors. * Copyright 2002-2024 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -44,12 +44,12 @@ public abstract class NamedParameterUtils {
/** /**
* Set of characters that qualify as comment or quotes starting characters. * Set of characters that qualify as comment or quotes starting characters.
*/ */
private static final String[] START_SKIP = new String[] {"'", "\"", "--", "/*"}; private static final String[] START_SKIP = new String[] {"'", "\"", "--", "/*", "`"};
/** /**
* Set of characters that at are the corresponding comment or quotes ending characters. * Set of characters that at are the corresponding comment or quotes ending characters.
*/ */
private static final String[] STOP_SKIP = new String[] {"'", "\"", "\n", "*/"}; private static final String[] STOP_SKIP = new String[] {"'", "\"", "\n", "*/", "`"};
/** /**
* Set of characters that qualify as parameter separators, * Set of characters that qualify as parameter separators,

39
spring-jdbc/src/test/java/org/springframework/jdbc/core/namedparam/NamedParameterUtilsTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2023 the original author or authors. * Copyright 2002-2024 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -21,6 +21,8 @@ import java.util.HashMap;
import java.util.Map; import java.util.Map;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.ValueSource;
import org.springframework.dao.InvalidDataAccessApiUsageException; import org.springframework.dao.InvalidDataAccessApiUsageException;
import org.springframework.jdbc.core.SqlParameterValue; import org.springframework.jdbc.core.SqlParameterValue;
@ -285,25 +287,14 @@ class NamedParameterUtilsTests {
assertThat(newSql).isEqualTo(expectedSql); assertThat(newSql).isEqualTo(expectedSql);
} }
@Test // SPR-8280 @ParameterizedTest // SPR-8280 and others
public void parseSqlStatementWithQuotedSingleQuote() { @ValueSource(strings = {
String sql = "SELECT ':foo'':doo', :xxx FROM DUAL"; "SELECT ':foo'':doo', :xxx FROM DUAL",
ParsedSql parsedSql = NamedParameterUtils.parseSqlStatement(sql); "SELECT /*:doo*/':foo', :xxx FROM DUAL",
assertThat(parsedSql.getTotalParameterCount()).isEqualTo(1); "SELECT ':foo'/*:doo*/, :xxx FROM DUAL",
assertThat(parsedSql.getParameterNames()).containsExactly("xxx"); "SELECT \":foo\"\":doo\", :xxx FROM DUAL",
} "SELECT `:foo``:doo`, :xxx FROM DUAL",})
void parseSqlStatementWithParametersInsideQuote(String sql) {
@Test
void parseSqlStatementWithQuotesAndCommentBefore() {
String sql = "SELECT /*:doo*/':foo', :xxx FROM DUAL";
ParsedSql parsedSql = NamedParameterUtils.parseSqlStatement(sql);
assertThat(parsedSql.getTotalParameterCount()).isEqualTo(1);
assertThat(parsedSql.getParameterNames()).containsExactly("xxx");
}
@Test
void parseSqlStatementWithQuotesAndCommentAfter() {
String sql = "SELECT ':foo'/*:doo*/, :xxx FROM DUAL";
ParsedSql parsedSql = NamedParameterUtils.parseSqlStatement(sql); ParsedSql parsedSql = NamedParameterUtils.parseSqlStatement(sql);
assertThat(parsedSql.getTotalParameterCount()).isEqualTo(1); assertThat(parsedSql.getTotalParameterCount()).isEqualTo(1);
assertThat(parsedSql.getParameterNames()).containsExactly("xxx"); assertThat(parsedSql.getParameterNames()).containsExactly("xxx");
@ -361,6 +352,14 @@ class NamedParameterUtilsTests {
assertThat(sqlToUse).isEqualTo("insert into foos (id) values (?)"); assertThat(sqlToUse).isEqualTo("insert into foos (id) values (?)");
} }
@Test // gh-31944
void parseSqlStatementWithBackticks() {
String sql = "select * from `tb&user` where id = :id";
ParsedSql parsedSql = NamedParameterUtils.parseSqlStatement(sql);
assertThat(parsedSql.getParameterNames()).containsExactly("id");
assertThat(substituteNamedParameters(parsedSql)).isEqualTo("select * from `tb&user` where id = ?");
}
private static String substituteNamedParameters(ParsedSql parsedSql) { private static String substituteNamedParameters(ParsedSql parsedSql) {
return NamedParameterUtils.substituteNamedParameters(parsedSql, null); return NamedParameterUtils.substituteNamedParameters(parsedSql, null);
} }