Merge from upstream master.

Author: Wood, Roger C

QueryBuilder/ColumnAttribute.cs

@@ -14,6 +14,7 @@ public ColumnAttribute(string name)
             {
                 throw new ArgumentNullException("Name parameter is required");
             }
+
             Name = name;
         }
 

QueryBuilder/Compilers/Compiler.Conditions.cs

@@ -26,7 +26,12 @@ protected virtual string CompileCondition(SqlResult ctx, AbstractCondition claus
 
             try
             {
-                var result = methodInfo.Invoke(this, new object[] { ctx, clause });
+
+                var result = methodInfo.Invoke(this, new object[] {
+                    ctx,
+                    clause
+                });
+
                 return result as string;
             }
             catch (Exception ex)

QueryBuilder/Compilers/Compiler.cs

@@ -9,7 +9,7 @@ public partial class Compiler
     {
         private readonly ConditionsCompilerProvider _compileConditionMethodsProvider;
         protected virtual string parameterPlaceholder { get; set; } = "?";
-        protected virtual string parameterPlaceholderPrefix { get; set; } = "@p";
+        protected virtual string parameterPrefix { get; set; } = "@p";
         protected virtual string OpeningIdentifier { get; set; } = "\"";
         protected virtual string ClosingIdentifier { get; set; } = "\"";
         protected virtual string ColumnAsKeyword { get; set; } = "AS ";
@@ -48,13 +48,13 @@ protected Compiler()
         protected Dictionary<string, object> generateNamedBindings(object[] bindings)
         {
             return Helper.Flatten(bindings).Select((v, i) => new { i, v })
-                .ToDictionary(x => parameterPlaceholderPrefix + x.i, x => x.v);
+                .ToDictionary(x => parameterPrefix + x.i, x => x.v);
         }
 
         protected SqlResult PrepareResult(SqlResult ctx)
         {
             ctx.NamedBindings = generateNamedBindings(ctx.Bindings.ToArray());
-            ctx.Sql = Helper.ReplaceAll(ctx.RawSql, parameterPlaceholder, i => parameterPlaceholderPrefix + i);
+            ctx.Sql = Helper.ReplaceAll(ctx.RawSql, parameterPlaceholder, i => parameterPrefix + i);
             return ctx;
         }
 
@@ -79,7 +79,7 @@ private Query TransformAggregateQuery(Query query)
 
             var outerClause = new AggregateClause()
             {
-                Columns = new List<string> {"*"},
+                Columns = new List<string> { "*" },
                 Type = clause.Type
             };
 
@@ -129,6 +129,13 @@ protected virtual SqlResult CompileRaw(Query query)
             return ctx;
         }
 
+        /// <summary>
+        /// Add the passed operator(s) to the white list so they can be used with
+        /// the Where/Having methods, this prevent passing arbitrary operators
+        /// that opens the door for SQL injections.
+        /// </summary>
+        /// <param name="operators"></param>
+        /// <returns></returns>
         public Compiler Whitelist(params string[] operators)
         {
             foreach (var op in operators)
@@ -300,9 +307,10 @@ protected virtual SqlResult CompileInsertQuery(Query query)
 
             if (inserts[0] is InsertClause insertClause)
             {
-                ctx.RawSql = $"INSERT INTO {table}"
-                    + " (" + string.Join(", ", WrapArray(insertClause.Columns)) + ") "
-                    + "VALUES (" + string.Join(", ", Parameterize(ctx, insertClause.Values)) + ")";
+                var columns = string.Join(", ", WrapArray(insertClause.Columns));
+                var values = string.Join(", ", Parameterize(ctx, insertClause.Values));
+
+                ctx.RawSql = $"INSERT INTO {table} ({columns}) VALUES ({values})";
 
                 if (insertClause.ReturnId && !string.IsNullOrEmpty(LastId))
                 {
@@ -817,11 +825,11 @@ public virtual string WrapIdentifiers(string input)
             return input
 
                 // deprecated
-                .ReplaceIdentifierUnlessEscaped(this.EscapeCharacter,"{", this.OpeningIdentifier)
-                .ReplaceIdentifierUnlessEscaped(this.EscapeCharacter,"}", this.ClosingIdentifier)
+                .ReplaceIdentifierUnlessEscaped(this.EscapeCharacter, "{", this.OpeningIdentifier)
+                .ReplaceIdentifierUnlessEscaped(this.EscapeCharacter, "}", this.ClosingIdentifier)
 
-                .ReplaceIdentifierUnlessEscaped(this.EscapeCharacter,"[", this.OpeningIdentifier)
-                .ReplaceIdentifierUnlessEscaped(this.EscapeCharacter,"]", this.ClosingIdentifier);
+                .ReplaceIdentifierUnlessEscaped(this.EscapeCharacter, "[", this.OpeningIdentifier)
+                .ReplaceIdentifierUnlessEscaped(this.EscapeCharacter, "]", this.ClosingIdentifier);
         }
     }
 }

QueryBuilder/Compilers/CteFinder.cs

@@ -8,7 +8,7 @@ public class CteFinder
         private readonly string engineCode;
         private HashSet<string> namesOfPreviousCtes;
         private List<AbstractFrom> orderedCteList;
-        
+
         public CteFinder(Query query, string engineCode)
         {
             this.query = query;
@@ -21,21 +21,21 @@ public List<AbstractFrom> Find()
                 return orderedCteList;
 
             namesOfPreviousCtes = new HashSet<string>();
-            
-            orderedCteList = FindInternal(query);
-            
+
+            orderedCteList = findInternal(query);
+
             namesOfPreviousCtes.Clear();
             namesOfPreviousCtes = null;
 
             return orderedCteList;
         }
 
-        private List<AbstractFrom> FindInternal(Query queryToSearch)
+        private List<AbstractFrom> findInternal(Query queryToSearch)
         {
             var cteList = queryToSearch.GetComponents<AbstractFrom>("cte", engineCode);
 
             var resultList = new List<AbstractFrom>();
-            
+
             foreach (var cte in cteList)
             {
                 if (namesOfPreviousCtes.Contains(cte.Alias))
@@ -46,7 +46,7 @@ private List<AbstractFrom> FindInternal(Query queryToSearch)
 
                 if (cte is QueryFromClause queryFromClause)
                 {
-                    resultList.InsertRange(0, FindInternal(queryFromClause.Query));
+                    resultList.InsertRange(0, findInternal(queryFromClause.Query));
                 }
             }
 

QueryBuilder/Compilers/OracleCompiler.cs

@@ -11,7 +11,7 @@ public OracleCompiler()
         {
             ColumnAsKeyword = "";
             TableAsKeyword = "";
-            parameterPlaceholderPrefix = ":p";
+            parameterPrefix = ":p";
         }
 
         public override string EngineCode { get; } = EngineCodes.Oracle;

QueryBuilder/Compilers/SqliteCompiler.cs

@@ -8,7 +8,7 @@ public class SqliteCompiler : Compiler
     {
         public override string EngineCode { get; } = EngineCodes.Sqlite;
         protected override string parameterPlaceholder { get; set; } = "?";
-        protected override string parameterPlaceholderPrefix { get; set; } = "@p";
+        protected override string parameterPrefix { get; set; } = "@p";
         protected override string OpeningIdentifier { get; set; } = "\"";
         protected override string ClosingIdentifier { get; set; } = "\"";
         protected override string LastId { get; set; } = "select last_insert_rowid()";

QueryBuilder/IgnoreAttribute.cs

@@ -3,19 +3,22 @@
 namespace SqlKata
 {
     /// <summary>
-    /// This class is used as metadata to ignore a property on an object in order to exclude it from query
+    /// This class is used as metadata to ignore a property on insert and update queries
     /// </summary>
     /// <example>
     /// <code>
-    /// public class  Person  
-    /// { 
+    /// public class  Person
+    /// {
     ///    public string Name {get ;set;}
+    ///
     ///    [Ignore]
     ///    public string PhoneNumber {get ;set;}
     ///
     /// }
     ///
-    /// output: SELECT [Name] FROM [Person]
+    /// new Query("Table").Insert(new Person { Name = "User", PhoneNumber = "70123456" })
+    ///
+    /// output: INSERT INTO [Table] ([Name]) VALUES('User')
     /// </code>
     /// </example>
     public class IgnoreAttribute : Attribute

QueryBuilder/Query.Insert.cs

@@ -9,36 +9,11 @@ public partial class Query
     {
         public Query AsInsert(object data, bool returnId = false)
         {
-            var dictionary = BuildDictionaryOnInsert(data);
+            var dictionary = BuildDictionaryFromObject(data);
 
             return AsInsert(dictionary, returnId);
         }
 
-
-        private Dictionary<string, object> BuildDictionaryOnInsert(object data)
-        {
-
-            var dictionary = new Dictionary<string, object>();
-            var props = data.GetType().GetRuntimeProperties();
-
-            foreach (PropertyInfo property in props)
-            {
-                if (property.GetCustomAttribute(typeof(IgnoreAttribute)) != null)
-                {
-                    continue;
-                }
-
-                var value = property.GetValue(data);
-
-                var colAttr = property.GetCustomAttribute(typeof(ColumnAttribute)) as ColumnAttribute;
-                var name = colAttr?.Name ?? property.Name;
-                  
-                dictionary.Add(name, value);
-            }
-
-            return dictionary;
-        }
-
         public Query AsInsert(IEnumerable<string> columns, IEnumerable<object> values)
         {
             var columnsList = columns?.ToList();

QueryBuilder/Query.Update.cs

@@ -1,5 +1,4 @@
 using System;
-using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Linq;
 using System.Reflection;
@@ -12,40 +11,9 @@ public partial class Query
 
         public Query AsUpdate(object data)
         {
-            var dictionary = BuildDictionaryOnUpdate(data);
-            return AsUpdate(dictionary);
-        }
-
-        private static readonly ConcurrentDictionary<Type, PropertyInfo[]> CacheDictionaryProperties = new ConcurrentDictionary<Type, PropertyInfo[]>();
-
-        private Dictionary<string, object> BuildDictionaryOnUpdate(object data)
-        {
-            var dictionary = new Dictionary<string, object>();
-            var props = CacheDictionaryProperties.GetOrAdd(data.GetType(), type => type.GetRuntimeProperties().ToArray());
+            var dictionary = BuildDictionaryFromObject(data, considerKeys: true);
 
-            foreach (PropertyInfo property in props)
-            {
-                if (property.GetCustomAttribute(typeof(IgnoreAttribute)) != null)
-                {
-                    continue;
-                }
-
-                var value = property.GetValue(data);
-
-                var colAttr = property.GetCustomAttribute(typeof(ColumnAttribute)) as ColumnAttribute;
-                var name = colAttr?.Name ?? property.Name;
-                if (colAttr != null)
-                {
-                    if ((colAttr as KeyAttribute) != null)
-                    {
-                        this.Where(name, value);
-                    }
-                }
-
-                dictionary.Add(name, value);
-            }
-
-            return dictionary;
+            return AsUpdate(dictionary);
         }
 
         public Query AsUpdate(IEnumerable<string> columns, IEnumerable<object> values)
@@ -92,4 +60,4 @@ public Query AsUpdate(IReadOnlyDictionary<string, object> data)
         }
 
     }
-}
+}

QueryBuilder/Query.cs

@@ -1,6 +1,8 @@
 using System;
+using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Linq;
+using System.Reflection;
 
 namespace SqlKata
 {
@@ -309,6 +311,51 @@ public Query IncludeMany(string relationName, Query query, string foreignKey = n
         {
             return Include(relationName, query, foreignKey, localKey, isMany: true);
         }
+        
+        private static readonly ConcurrentDictionary<Type, PropertyInfo[]> CacheDictionaryProperties = new ConcurrentDictionary<Type, PropertyInfo[]>();
+
+        /// <summary>
+        /// Build a dictionary from plain object, intended to be used with Insert and Update queries
+        /// </summary>
+        /// <param name="data">the plain C# object</param>
+        /// <param name="considerKeys">
+        /// When true it will search for properties with the [Key] attribute
+        /// and add it automatically to the Where clause
+        /// </param>
+        /// <returns></returns>
+        private Dictionary<string, object> BuildDictionaryFromObject(object data, bool considerKeys = false)
+        {
+
+            var dictionary = new Dictionary<string, object>();
+            var props = CacheDictionaryProperties.GetOrAdd(data.GetType(), type => type.GetRuntimeProperties().ToArray());
+
+            foreach (var property in props)
+            {
+                if (property.GetCustomAttribute(typeof(IgnoreAttribute)) != null)
+                {
+                    continue;
+                }
+
+                var value = property.GetValue(data);
+
+                var colAttr = property.GetCustomAttribute(typeof(ColumnAttribute)) as ColumnAttribute;
+
+                var name = colAttr?.Name ?? property.Name;
+
+                dictionary.Add(name, value);
+
+                if (considerKeys && colAttr != null)
+                {
+                    if ((colAttr as KeyAttribute) != null)
+                    {
+                        this.Where(name, value);
+                    }
+                }
+
+            }
+
+            return dictionary;
+        }
 
     }
 }