From c491848d308eaf9dbb0fb65ce17829d4f7822d7b Mon Sep 17 00:00:00 2001
From: buczekp <buczekp>
Date: Thu, 18 Feb 2010 14:25:41 +0000
Subject: [PATCH] [LMS-1361] resolve bindings using template replacement

SVN: 14846
---
 .../cisd/openbis/plugin/query/server/DAO.java | 33 ++++++++++---------
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/DAO.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/DAO.java
index f6cca549596..10cf4588a3b 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/DAO.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/DAO.java
@@ -23,17 +23,17 @@ import java.sql.SQLException;
 import java.sql.Types;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Map;
+import java.util.Map.Entry;
 
 import javax.sql.DataSource;
 
 import org.springframework.dao.DataAccessException;
 import org.springframework.jdbc.core.PreparedStatementCallback;
-import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
 import org.springframework.jdbc.core.simple.SimpleJdbcDaoSupport;
 import org.springframework.jdbc.support.JdbcUtils;
 
 import ch.systemsx.cisd.common.exceptions.UserFailureException;
+import ch.systemsx.cisd.common.utilities.Template;
 import ch.systemsx.cisd.openbis.generic.shared.basic.ExpressionUtil;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.DataTypeCode;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.DoubleTableCell;
@@ -141,22 +141,25 @@ class DAO extends SimpleJdbcDaoSupport
                     return new TableModel(headers, rows);
                 }
             };
-        return (TableModel) new NamedParameterJdbcTemplate(getJdbcTemplate()).execute(
-                createQueryWithJDBCParameters(sqlQuery), tryExtractBindingsMap(bindingsOrNull),
-                callback);
-    }
 
-    /** replaces parameters used in our expressions into the ones supported by JDBC */
-    private static String createQueryWithJDBCParameters(String sqlQuery)
-    {
-        String result = sqlQuery.replace(ExpressionUtil.START, ":");
-        result = sqlQuery.replace(ExpressionUtil.END, "");
-        return result;
+        return (TableModel) getJdbcTemplate().execute(
+                createSQLQueryWithBindingsResolved(sqlQuery, bindingsOrNull), callback);
     }
 
-    @SuppressWarnings("unchecked")
-    private Map tryExtractBindingsMap(QueryParameterBindings bindingsOrNull)
+    // TODO 2010-02-18, Piotr Buczek: this solution is not safe
+    // prepared statement parameters would be better but then we need to know the type of parameters
+    private static String createSQLQueryWithBindingsResolved(String sqlQuery,
+            QueryParameterBindings bindingsOrNull)
     {
-        return bindingsOrNull == null ? null : bindingsOrNull.getBindings();
+        Template template = new Template(sqlQuery);
+        if (bindingsOrNull != null)
+        {
+            for (Entry<String, String> entry : bindingsOrNull.getBindings().entrySet())
+            {
+                template.bind(entry.getKey(), entry.getValue());
+            }
+        }
+        return template.createText();
     }
+
 }
-- 
GitLab