KEYCLOAK-5667

stianst · stianst · commit 6d1c33ccdc93 · 2017-12-06T06:45:23.000+01:00
diff --git a/model/jpa/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/AbstractUserFedToComponent.java b/model/jpa/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/AbstractUserFedToComponent.java
@@ -35,7 +35,8 @@ public abstract class AbstractUserFedToComponent extends CustomKeycloakTask {
     private final Logger logger = Logger.getLogger(getClass());
     protected void convertFedProviderToComponent(String providerId, String newMapperType) throws CustomChangeException {
         try {
-            PreparedStatement statement = jdbcConnection.prepareStatement("select ID, REALM_ID, PRIORITY, DISPLAY_NAME, FULL_SYNC_PERIOD, CHANGED_SYNC_PERIOD, LAST_SYNC from " + getTableName("USER_FEDERATION_PROVIDER") + " WHERE PROVIDER_NAME='" + providerId + "'");
+            PreparedStatement statement = jdbcConnection.prepareStatement("select ID, REALM_ID, PRIORITY, DISPLAY_NAME, FULL_SYNC_PERIOD, CHANGED_SYNC_PERIOD, LAST_SYNC from " + getTableName("USER_FEDERATION_PROVIDER") + " WHERE PROVIDER_NAME=?");
+            statement.setString(1, providerId);
 
             try {
                 ResultSet resultSet = statement.executeQuery();
@@ -88,10 +89,13 @@ protected void convertFedProviderToComponent(String providerId, String newMapper
                         }
 
                         DeleteStatement configDelete = new DeleteStatement(null, null, database.correctObjectName("USER_FEDERATION_CONFIG", Table.class));
-                        configDelete.setWhere("USER_FEDERATION_PROVIDER_ID='" + id + "'");
+                        configDelete.setWhere("USER_FEDERATION_PROVIDER_ID=?");
+                        configDelete.addWhereParameters(id);
+
                         statements.add(configDelete);
                         DeleteStatement deleteStatement = new DeleteStatement(null, null, database.correctObjectName("USER_FEDERATION_PROVIDER", Table.class));
-                        deleteStatement.setWhere("ID='" + id + "'");
+                        deleteStatement.setWhere("ID=?");
+                        deleteStatement.addWhereParameters(id);
                         statements.add(deleteStatement);
 
                     }
@@ -118,7 +122,8 @@ protected InsertStatement componentConfigStatement(String componentId, String na
 
     protected void convertFedMapperToComponent(String realmId, String parentId, String newMapperType) throws CustomChangeException {
         try {
-            PreparedStatement statement = jdbcConnection.prepareStatement("select ID, NAME, FEDERATION_MAPPER_TYPE from " + getTableName("USER_FEDERATION_MAPPER") + " WHERE FEDERATION_PROVIDER_ID='" + parentId + "'");
+            PreparedStatement statement = jdbcConnection.prepareStatement("select ID, NAME, FEDERATION_MAPPER_TYPE from " + getTableName("USER_FEDERATION_MAPPER") + " WHERE FEDERATION_PROVIDER_ID=?");
+            statement.setString(1, parentId);
 
             try {
                 ResultSet resultSet = statement.executeQuery();
@@ -157,10 +162,12 @@ protected void convertFedMapperToComponent(String realmId, String parentId, Stri
                             configStatement.close();
                         }
                         DeleteStatement configDelete = new DeleteStatement(null, null, database.correctObjectName("USER_FEDERATION_MAPPER_CONFIG", Table.class));
-                        configDelete.setWhere("USER_FEDERATION_MAPPER_ID='" + id + "'");
+                        configDelete.setWhere("USER_FEDERATION_MAPPER_ID=?");
+                        configDelete.addWhereParameters(id);
                         statements.add(configDelete);
                         DeleteStatement deleteStatement = new DeleteStatement(null, null, database.correctObjectName("USER_FEDERATION_MAPPER", Table.class));
-                        deleteStatement.setWhere("ID='" + id + "'");
+                        deleteStatement.setWhere("ID=?");
+                        deleteStatement.addWhereParameters(id);
                         statements.add(deleteStatement);
 
 
diff --git a/model/jpa/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/AddRealmCodeSecret.java b/model/jpa/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/AddRealmCodeSecret.java
@@ -59,7 +59,7 @@ public SqlStatement[] generateStatements(Database database) throws CustomChangeE
 
                     UpdateStatement statement = new UpdateStatement(null, null, correctedTableName)
                             .addNewColumnValue("CODE_SECRET", KeycloakModelUtils.generateCodeSecret())
-                            .setWhereClause("ID='" + id + "'");
+                            .setWhereClause("ID=?").addWhereParameters(id);
                     statements.add(statement);
 
                     if (!resultSet.isFirst()) {
