SPR-7476 Improving named parameter parsing skipping escaped colons like '\:' and allowing for delimiting parameter names with curly brackets like :{p1}

org.springframework.jdbc/src/main/java/org/springframework/jdbc/core/namedparam/NamedParameterUtils.java

@@ -105,6 +105,12 @@ public abstract class NamedParameterUtils {
 					// :{x} style parameter
 					while (j < statement.length && !('}' == statement[j])) {
 						j++;
+						if (':' == statement[j] || '{' == statement[j] || isParameterSeparator(statement[j])) {
+							throw new InvalidDataAccessApiUsageException("Parameter name contains invalid character '" + statement[j] + "' at position " + i + " in statement " + sql);
+						}
+					}
+					if (j >= statement.length) {
+						throw new InvalidDataAccessApiUsageException("Non-terminated named parameter declaration at position " + i + " in statement " + sql);
 					}
 					if (j - i > 3) {
 						parameter = sql.substring(i + 2, j);

org.springframework.jdbc/src/test/java/org/springframework/jdbc/core/namedparam/NamedParameterUtilsTests.java

@@ -194,6 +194,8 @@ public class NamedParameterUtilsTests {
 
 		ParsedSql parsedSql = NamedParameterUtils.parseSqlStatement(sql);
 		assertEquals(2, parsedSql.getParameterNames().size());
+		assertEquals("p1", parsedSql.getParameterNames().get(0));
+		assertEquals("p2", parsedSql.getParameterNames().get(1));
 		String finalSql = NamedParameterUtils.substituteNamedParameters(parsedSql, null);
 		assertEquals(expectedSql, finalSql);
 	}
@@ -208,6 +210,8 @@ public class NamedParameterUtilsTests {
 
 		ParsedSql parsedSql = NamedParameterUtils.parseSqlStatement(sql);
 		assertEquals(2, parsedSql.getParameterNames().size());
+		assertEquals("p1", parsedSql.getParameterNames().get(0));
+		assertEquals("p2", parsedSql.getParameterNames().get(1));
 		String finalSql = NamedParameterUtils.substituteNamedParameters(parsedSql, null);
 		assertEquals(expectedSql, finalSql);
 	}