From 2fc8b13dd56117ec367e4059e76945ce9e3f1f36 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Nicoll?= <stephane.nicoll@broadcom.com>
Date: Fri, 5 Jan 2024 10:25:56 +0100
Subject: [PATCH] Add support for MySQL backticks

This commit makes sure that content within backticks are skipped
when parsing a SQL statement using NamedParameterUtils. This harmonizes
the current behavior of ignoring special characters that are wrapped
in backticks.

Closes gh-31944
---
 .../core/namedparam/NamedParameterUtils.java  |  6 +--
 .../namedparam/NamedParameterUtilsTests.java  | 39 +++++++++----------
 2 files changed, 22 insertions(+), 23 deletions(-)

diff --git a/spring-jdbc/src/main/java/org/springframework/jdbc/core/namedparam/NamedParameterUtils.java b/spring-jdbc/src/main/java/org/springframework/jdbc/core/namedparam/NamedParameterUtils.java
index f0c97dc573a4..ef7a8019068d 100644
--- a/spring-jdbc/src/main/java/org/springframework/jdbc/core/namedparam/NamedParameterUtils.java
+++ b/spring-jdbc/src/main/java/org/springframework/jdbc/core/namedparam/NamedParameterUtils.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -44,12 +44,12 @@ public abstract class NamedParameterUtils {
 	/**
 	 * Set of characters that qualify as comment or quotes starting characters.
 	 */
-	private static final String[] START_SKIP = new String[] {"'", "\"", "--", "/*"};
+	private static final String[] START_SKIP = new String[] {"'", "\"", "--", "/*", "`"};
 
 	/**
 	 * Set of characters that at are the corresponding comment or quotes ending characters.
 	 */
-	private static final String[] STOP_SKIP = new String[] {"'", "\"", "\n", "*/"};
+	private static final String[] STOP_SKIP = new String[] {"'", "\"", "\n", "*/", "`"};
 
 	/**
 	 * Set of characters that qualify as parameter separators,
diff --git a/spring-jdbc/src/test/java/org/springframework/jdbc/core/namedparam/NamedParameterUtilsTests.java b/spring-jdbc/src/test/java/org/springframework/jdbc/core/namedparam/NamedParameterUtilsTests.java
index 699094e2a7bc..ad42c8d2d2d1 100644
--- a/spring-jdbc/src/test/java/org/springframework/jdbc/core/namedparam/NamedParameterUtilsTests.java
+++ b/spring-jdbc/src/test/java/org/springframework/jdbc/core/namedparam/NamedParameterUtilsTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,6 +21,8 @@
 import java.util.Map;
 
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 
 import org.springframework.dao.InvalidDataAccessApiUsageException;
 import org.springframework.jdbc.core.SqlParameterValue;
@@ -285,25 +287,14 @@ public void variableAssignmentOperator() {
 		assertThat(newSql).isEqualTo(expectedSql);
 	}
 
-	@Test  // SPR-8280
-	public void parseSqlStatementWithQuotedSingleQuote() {
-		String sql = "SELECT ':foo'':doo', :xxx FROM DUAL";
-		ParsedSql parsedSql = NamedParameterUtils.parseSqlStatement(sql);
-		assertThat(parsedSql.getTotalParameterCount()).isEqualTo(1);
-		assertThat(parsedSql.getParameterNames()).containsExactly("xxx");
-	}
-
-	@Test
-	void parseSqlStatementWithQuotesAndCommentBefore() {
-		String sql = "SELECT /*:doo*/':foo', :xxx FROM DUAL";
-		ParsedSql parsedSql = NamedParameterUtils.parseSqlStatement(sql);
-		assertThat(parsedSql.getTotalParameterCount()).isEqualTo(1);
-		assertThat(parsedSql.getParameterNames()).containsExactly("xxx");
-	}
-
-	@Test
-	void parseSqlStatementWithQuotesAndCommentAfter() {
-		String sql = "SELECT ':foo'/*:doo*/, :xxx FROM DUAL";
+	@ParameterizedTest // SPR-8280 and others
+	@ValueSource(strings = {
+			"SELECT ':foo'':doo', :xxx FROM DUAL",
+			"SELECT /*:doo*/':foo', :xxx FROM DUAL",
+			"SELECT ':foo'/*:doo*/, :xxx FROM DUAL",
+			"SELECT \":foo\"\":doo\", :xxx FROM DUAL",
+			"SELECT `:foo``:doo`, :xxx FROM DUAL",})
+	void parseSqlStatementWithParametersInsideQuote(String sql) {
 		ParsedSql parsedSql = NamedParameterUtils.parseSqlStatement(sql);
 		assertThat(parsedSql.getTotalParameterCount()).isEqualTo(1);
 		assertThat(parsedSql.getParameterNames()).containsExactly("xxx");
@@ -361,6 +352,14 @@ public Map<String, Object> getHeaders() {
 		assertThat(sqlToUse).isEqualTo("insert into foos (id) values (?)");
 	}
 
+	@Test // gh-31944
+	void parseSqlStatementWithBackticks() {
+		String sql = "select * from `tb&user` where id = :id";
+		ParsedSql parsedSql = NamedParameterUtils.parseSqlStatement(sql);
+		assertThat(parsedSql.getParameterNames()).containsExactly("id");
+		assertThat(substituteNamedParameters(parsedSql)).isEqualTo("select * from `tb&user` where id = ?");
+	}
+
 	private static String substituteNamedParameters(ParsedSql parsedSql) {
 		return NamedParameterUtils.substituteNamedParameters(parsedSql, null);
 	}