Skip to content

Commit 5a00192

Browse files
michael-simonsschauder
authored andcommitted
Escape JDBC styled parameters.
Closes #2228 Original pull request #2229
1 parent 39e72af commit 5a00192

File tree

2 files changed

+20
-6
lines changed

2 files changed

+20
-6
lines changed

src/main/java/org/springframework/data/jpa/repository/query/ExpressionBasedStringQuery.java

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -35,15 +35,15 @@
3535
* @author Thomas Darimont
3636
* @author Oliver Gierke
3737
* @author Tom Hombergs
38+
* @author Michael J. Simons
3839
*/
3940
class ExpressionBasedStringQuery extends StringQuery {
4041

41-
private static final String EXPRESSION_PARAMETER = "?#{";
42-
private static final String QUOTED_EXPRESSION_PARAMETER = "?__HASH__{";
42+
private static final String EXPRESSION_PARAMETER = "$1#{";
43+
private static final String QUOTED_EXPRESSION_PARAMETER = "$1__HASH__{";
4344

44-
private static final Pattern EXPRESSION_PARAMETER_QUOTING = Pattern.compile(Pattern.quote(EXPRESSION_PARAMETER));
45-
private static final Pattern EXPRESSION_PARAMETER_UNQUOTING = Pattern.compile(Pattern
46-
.quote(QUOTED_EXPRESSION_PARAMETER));
45+
private static final Pattern EXPRESSION_PARAMETER_QUOTING = Pattern.compile("([:\\?])#\\{");
46+
private static final Pattern EXPRESSION_PARAMETER_UNQUOTING = Pattern.compile("([:\\?])__HASH__\\{");
4747

4848
private static final String ENTITY_NAME = "entityName";
4949
private static final String ENTITY_NAME_VARIABLE = "#" + ENTITY_NAME;

src/test/java/org/springframework/data/jpa/repository/query/ExpressionBasedStringQueryUnitTests.java

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@
3434
* @author Oliver Gierke
3535
* @author Jens Schauder
3636
* @author Mark Paluch
37+
* @author Michael J. Simons
3738
*/
3839
@ExtendWith(MockitoExtension.class)
3940
@MockitoSettings(strictness = Strictness.LENIENT)
@@ -66,7 +67,7 @@ void renderAliasInExpressionQueryCorrectly() {
6667
void shouldDetectBindParameterCountCorrectly() {
6768

6869
StringQuery query = new ExpressionBasedStringQuery(
69-
"select n from NetworkServer n where (LOWER(n.name) LIKE LOWER(NULLIF(text(concat('%',:#{#networkRequest.name},'%')), '')) OR :#{#networkRequest.name} IS NULL )\"\n"
70+
"select n from #{#entityName} n where (LOWER(n.name) LIKE LOWER(NULLIF(text(concat('%',:#{#networkRequest.name},'%')), '')) OR :#{#networkRequest.name} IS NULL )\"\n"
7071
+ "+ \"AND (LOWER(n.server) LIKE LOWER(NULLIF(text(concat('%',:#{#networkRequest.server},'%')), '')) OR :#{#networkRequest.server} IS NULL)\"\n"
7172
+ "+ \"AND (n.createdAt >= :#{#networkRequest.createdTime.startDateTime}) AND (n.createdAt <=:#{#networkRequest.createdTime.endDateTime})\"\n"
7273
+ "+ \"AND (n.updatedAt >= :#{#networkRequest.updatedTime.startDateTime}) AND (n.updatedAt <=:#{#networkRequest.updatedTime.endDateTime})",
@@ -75,4 +76,17 @@ void shouldDetectBindParameterCountCorrectly() {
7576
assertThat(query.getParameterBindings()).hasSize(8);
7677
}
7778

79+
@Test // GH-2228
80+
void shouldDetectBindParameterCountCorrectlyWithJDBCStyleParameters() {
81+
82+
StringQuery query = new ExpressionBasedStringQuery(
83+
"select n from #{#entityName} n where (LOWER(n.name) LIKE LOWER(NULLIF(text(concat('%',?#{#networkRequest.name},'%')), '')) OR ?#{#networkRequest.name} IS NULL )\"\n"
84+
+ "+ \"AND (LOWER(n.server) LIKE LOWER(NULLIF(text(concat('%',?#{#networkRequest.server},'%')), '')) OR ?#{#networkRequest.server} IS NULL)\"\n"
85+
+ "+ \"AND (n.createdAt >= ?#{#networkRequest.createdTime.startDateTime}) AND (n.createdAt <=?#{#networkRequest.createdTime.endDateTime})\"\n"
86+
+ "+ \"AND (n.updatedAt >= ?#{#networkRequest.updatedTime.startDateTime}) AND (n.updatedAt <=?#{#networkRequest.updatedTime.endDateTime})",
87+
metadata, SPEL_PARSER);
88+
89+
assertThat(query.getParameterBindings()).hasSize(8);
90+
}
91+
7892
}

0 commit comments

Comments
 (0)