@digitalwalletcorp/sql-builder 1.0.2 → 1.2.0

package/README.md

@@ -38,7 +38,7 @@ You provide the `SQLBuilder` with a template string containing special, S2Dao-st
 
 This is the most common use case. The `WHERE` clause is built dynamically based on which properties exist in the `bindEntity`.
 
-##### Template:
+**Template:**
 
 ```sql
 SELECT
@@ -55,7 +55,7 @@ ORDER BY started_at DESC
 LIMIT /*limit*/100
 ```
 
-##### Code:
+**Code:**
 
 ```typescript
 import { SQLBuilder } from '@digitalwalletcorp/sql-builder';
@@ -81,7 +81,7 @@ const sql2 = builder.generateSQL(template, bindEntity2);
 console.log(sql2);
 ```
 
-##### Resulting SQL:
+**Resulting SQL:**
 
 * SQL 1 (Scenario A): The `project_name` condition is excluded, but the `status` condition is included.
 
@@ -114,7 +114,7 @@ LIMIT 100
 
 Use a `/*FOR...*/` block to iterate over an array and generate SQL for each item. This is useful for building multiple `LIKE` conditions.
 
-##### Template:
+**Template:**
 
 ```sql
 SELECT * FROM activity
@@ -122,7 +122,7 @@ WHERE 1 = 1
 /*FOR name:projectNames*/AND project_name LIKE '%' || /*name*/'default' || '%'/*END*/
 ```
 
-##### Code:
+**Code:**
 
 ```typescript
 import { SQLBuilder } from '@digitalwalletcorp/sql-builder';
@@ -138,7 +138,7 @@ const sql = builder.generateSQL(template, bindEntity);
 console.log(sql);
 ```
 
-##### Resulting SQL:
+**Resulting SQL:**
 
 ```sql
 SELECT * FROM activity
@@ -162,6 +162,68 @@ Generates a final SQL string by processing the template with the provided data e
 * `entity`: A data object whose properties are used for evaluating conditions (`/*IF...*/`) and binding values (`/*variable*/`).
 * Returns: The generated SQL string.
 
+##### `generateParameterizedSQL(template: string, entity: Record<string, any>, bindType: 'postgres' | 'mysql' | 'oracle'): [string, Array<any> | Record<string, any>]`
+
+Generates a SQL string with placeholders for prepared statements and returns an array of bind parameters. This method is crucial for preventing SQL injection.
+
+* `template`: The SQL template string containing S2Dao-style comments.
+* `entity`: A data object whose properties are used for evaluating conditions (`/*IF...*/`) and binding values.
+* `bindType`: Specifies the database type ('postgres', 'mysql', or 'oracle') to determine the correct placeholder syntax (`$1`, `?`, or `:name`).
+
+    **Note on `bindType` Mapping:**
+    While `bindType` explicitly names PostgreSQL, MySQL, and Oracle, the generated placeholder syntax is compatible with other SQL databases as follows:
+
+    | `bindType` | Placeholder Syntax | Compatible Databases | Bind Parameter Type |
+    | :------------- | :----------------- | :------------------- | :------------------ |
+    | `postgres`     | `$1`, `$2`, ...    | **PostgreSQL** | `Array<any>`        |
+    | `mysql`        | `?`, `?`, ...      | **MySQL**, **SQLite**, **SQL Server** (for unnamed parameters) | `Array<any>`        |
+    | `oracle`       | `:name`, `:age`, ... | **Oracle**, **SQLite** (for named parameters) | `Record<string, any>` |
+
+* Returns: A tuple `[sql, bindParams]`.
+    * `sql`: The generated SQL query with appropriate placeholders.
+    * `bindParams`: An array of values (for PostgreSQL/MySQL) or an object of named values (for Oracle) to bind to the placeholders.
+
+##### Example 3: Parameterized SQL with PostgreSQL
+
+**Template:**
+
+```sql
+SELECT
+  id,
+  user_name
+FROM users
+/*BEGIN*/WHERE
+  1 = 1
+  /*IF userId != null*/AND user_id = /*userId*/0/*END*/
+  /*IF projectNames.length*/AND project_name IN /*projectNames*/('default_project')/*END*/
+/*END*/
+```
+
+**Code:**
+
+```typescript
+import { SQLBuilder } from '@digitalwalletcorp/sql-builder';
+
+const builder = new SQLBuilder();
+const template = `...`; // The SQL template from above
+
+const bindEntity = {
+  userId: 123,
+  projectNames: ['project_a', 'project_b']
+};
+
+const [sql, params] = builder.generateParameterizedSQL(template, bindEntity, 'postgres');
+console.log('SQL:', sql);
+console.log('Parameters:', params);
+```
+
+**Resulting SQL & Parameters:**
+
+```
+SQL: SELECT id, user_name FROM users WHERE 1 = 1 AND user_id = $1 AND project_name IN ($2, $3)
+Parameters: [ 123, 'project_a', 'project_b' ]
+```
+
 ## 🪄 Special Comment Syntax
 
 | Tag | Syntax | Description |
@@ -172,6 +234,49 @@ Generates a final SQL string by processing the template with the provided data e
 | Bind Variable | `/*variable*/` | Binds a value from the `entity`. It automatically formats values: strings are quoted (`'value'`), numbers are left as is (`123`), and arrays are turned into comma-separated lists in parentheses (`('a','b',123)`). |
 | END | `/*END*/` | Marks the end of an `IF`, `BEGIN`, or `FOR` block. |
 
+---
+### 💡 Supported Property Paths
+
+For `/*variable*/` (Bind Variable) tags and the `collection` part of `/*FOR item:collection*/` tags, you can specify a path to access properties within the `entity` object.
+
+* **Syntax:** `propertyName`, `nested.property`.
+* **Supported:** Direct property access (e.g., `user.id`, `order.items.length`).
+* **Unsupported:** Function calls (e.g., `user.name.trim()`, `order.items.map(...)`) or any complex JavaScript expressions.
+
+**Example:**
+
+* **Valid Expression:** `/*userId*/` (accesses `entity.userId` as simple property)
+* **Valid Expression:** `/*items*/` (accesses `entity.items` as array)
+* **Invalid Expression:** `/*userId.slice(0, 10)*/` (Function call)
+* **Invalid Expression:** `/*items.filter(...)*/` (Function call)
+
+---
+
+### 💡 Supported `IF` Condition Syntax
+
+The `condition` inside an `/*IF ...*/` tag is evaluated as a JavaScript expression against the `entity` object. To ensure security and maintain simplicity, only a **limited subset of JavaScript syntax** is supported.
+
+**Supported Operations:**
+
+* **Entity Property Access:** You can reference properties from the `entity` object (e.g., `propertyName`, `nested.property`).
+* **Object Property Access:** Access the `length`, `size` or other property of object (e.g., `String.length`, `Array.length`, `Set.size`, `Map.size`).
+* **Comparison Operators:** `==`, `!=`, `===`, `!==`, `<`, `<=`, `>`, `>=`
+* **Logical Operators:** `&&` (AND), `||` (OR), `!` (NOT)
+* **Literals:** Numbers (`123`, `0.5`), Booleans (`true`, `false`), `null`, `undefined`, and string literals (`'value'`, `"value"`).
+* **Parentheses:** `()` for grouping expressions.
+
+**Unsupported Operations (and will cause an error if used):**
+
+* **Function Calls:** You **cannot** call functions on properties (e.g., `user.name.startsWith('A')`, `array.map(...)`).
+
+**Example:**
+
+* **Valid Condition:** `user.age > 18 && user.name.length > 0 && user.id != null`
+* **Invalid Condition:** `user.name.startsWith('A')` (Function call)
+* **Invalid Condition:** `user.role = 'admin'` (Assignment)
+
+---
+
 ## 📜 License
 
 This project is licensed under the MIT License. See the [LICENSE](https://opensource.org/licenses/MIT) file for details.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@digitalwalletcorp/sql-builder",
-  "version": "1.0.2",
+  "version": "1.2.0",
   "description": "This is a library for building SQL",
   "main": "lib/index.js",
   "types": "lib/index.d.ts",

package/src/abstract-syntax-tree.ts

@@ -0,0 +1,334 @@
+import * as common from './common';
+
+type Token =
+  | { type: 'IDENTIFIER'; value: string } // 例: param, length
+  | { type: 'OPERATOR'; value: string }   // 例: >, &&, ===, !=
+  | { type: 'NUMBER'; value: number }     // 例: 100.123
+  | { type: 'BOOLEAN'; value: boolean }   // 例: true, false
+  | { type: 'NULL' }
+  | { type: 'UNDEFINED' }
+  | { type: 'STRING'; value: string }     // 例: 'abc'
+  | { type: 'PARENTHESIS'; value: '(' | ')' };
+
+type RpnToken = Token | { type: 'MEMBER_ACCESS_PART', value: string };
+
+// 演算子の優先順位と結合性 (より長い演算子を先に定義)
+const PRECEDENCE: {
+  [op: string]: {
+    precedence: number;
+    associativity: 'left' | 'right'
+  }
+} = {
+  '||': { precedence: 1, associativity: 'left' },
+  '&&': { precedence: 2, associativity: 'left' },
+  '==': { precedence: 3, associativity: 'left' },
+  '!=': { precedence: 3, associativity: 'left' },
+  '===': { precedence: 3, associativity: 'left' },
+  '!==': { precedence: 3, associativity: 'left' },
+  '<': { precedence: 4, associativity: 'left' },
+  '<=': { precedence: 4, associativity: 'left' },
+  '>': { precedence: 4, associativity: 'left' },
+  '>=': { precedence: 4, associativity: 'left' },
+  '!': { precedence: 5, associativity: 'right' } // 単項演算子は高優先度
+};
+
+/**
+ * SQLBuilderの条件文(*IF*)で指定された条件文字列を解析するためのAST。
+ * JavaScriptの文法をカバーするものではなく、SQLBuilderで利用可能な限定的な構文のみサポートする。
+ */
+export class AbstractSyntaxTree {
+
+  /**
+   * 与えられた条件文字列を構文解析し、entityに対する条件として成立するか評価する
+   *
+   * @param {string} condition "params != null && params.length > 10" のような条件
+   * @param {Record<string, any>} entity
+   * @returns {boolean}
+   */
+  public evaluateCondition(condition: string, entity: Record<string, any>): boolean {
+    try {
+      const tokens = this.tokenize(condition); // トークン化
+      const rpnTokens = this.shuntingYard(tokens); // RPN変換
+      const result = this.evaluateRpn(rpnTokens, entity); // 評価
+      return result;
+    } catch (error) {
+      console.warn('Error evaluating condition:', condition, entity, error);
+      throw error;
+    }
+  }
+
+  /**
+   * 与えられた条件文字列をトークンに分割する
+   *
+   * @param {string} condition
+   * @returns {Token[]}
+   */
+  public tokenize(condition: string): Token[] {
+    const tokens: Token[] = [];
+    let i = 0;
+    while (i < condition.length) {
+      const char = condition[i];
+      // 空白をスキップ
+      if (/\s/.test(char)) {
+        i++;
+        continue;
+      }
+
+      // 演算子 (長いものからチェック)
+      // 3桁定義
+      const chunk3 = condition.substring(i, i + 3);
+      switch (chunk3) {
+        case '===':
+        case '!==':
+          tokens.push({ type: 'OPERATOR', value: chunk3 });
+          i += 3;
+          continue;
+        default:
+      }
+      // 2桁定義
+      const chunk2 = condition.substring(i, i + 2);
+      switch (chunk2) {
+        case '==':
+        case '!=':
+        case '<=':
+        case '>=':
+        case '&&':
+        case '||':
+          tokens.push({ type: 'OPERATOR', value: chunk2 });
+          i += 2;
+          continue;
+        default:
+      }
+      // 1桁定義
+      const chunk1 = char;
+      switch (chunk1) {
+        case '>':
+        case '<':
+        case '!':
+        case '=':
+          tokens.push({ type: 'OPERATOR', value: chunk1 });
+          i += 1;
+          continue;
+        // case '.':
+        //   tokens.push({ type: 'IDENTIFIER', value: chunk1 }); // '.'も識別子の一部として扱う
+        //   i += 1;
+        //   continue;
+        case '(':
+        case ')':
+          tokens.push({ type: 'PARENTHESIS', value: chunk1 });
+          i += 1;
+          continue;
+        default:
+      }
+
+      const reststring = condition.substring(i); // 現在のインデックスから末尾までの文字列
+      // 数値リテラル
+      const numMatch = reststring.match(/^-?\d+(\.\d+)?/);
+      if (numMatch) {
+        tokens.push({ type: 'NUMBER', value: parseFloat(numMatch[0]) });
+        i += numMatch[0].length;
+        continue;
+      }
+
+      // 文字列リテラル
+      switch (chunk1) {
+        case '\'':
+        case '"':
+          const quote = chunk1;
+          let j = i + 1;
+          let strValue = '';
+          while (j < condition.length && condition[j] !== quote) {
+            // エスケープ文字の処理 (\' や \\) は必要に応じて追加
+            if (condition[j] === '\\' && j + 1 < condition.length) {
+                strValue += condition[j+1];
+                j += 2;
+            } else {
+                strValue += condition[j];
+                j++;
+            }
+          }
+          if (condition[j] === quote) {
+            tokens.push({ type: 'STRING', value: strValue });
+            i = j + 1;
+            continue;
+          } else {
+            // クォートが閉じられていない
+            throw new Error('Unterminated string literal');
+          }
+        default:
+      }
+
+      // 識別子 (変数名, true, false, null, undefined, length)
+      const identMatch = reststring.match(/^[a-zA-Z_][a-zA-Z0-9_.]*/); // ドットを含む識別子
+      if (identMatch) {
+        const ident = identMatch[0];
+        switch (ident) {
+          case 'true':
+            tokens.push({ type: 'BOOLEAN', value: true });
+            break;
+          case 'false':
+            tokens.push({ type: 'BOOLEAN', value: false });
+            break;
+          case 'null':
+            tokens.push({ type: 'NULL' });
+            break;
+          case 'undefined':
+            tokens.push({ type: 'UNDEFINED' });
+            break;
+          default:
+            tokens.push({ type: 'IDENTIFIER', value: ident }); // プロパティ名
+        }
+        i += ident.length;
+        continue;
+      }
+
+      // 未知の文字
+      throw new Error(`Unexpected character in condition: ${char} at index ${i}`);
+    }
+    return tokens;
+  }
+
+  /**
+   * Shunting Yardアルゴリズムで構文を逆ポーランド記法(Reverse Polish Notation)に変換する
+   *
+   * @param {Token[]} tokens
+   * @returns {RpnToken[]}
+   */
+  private shuntingYard(tokens: Token[]): RpnToken[] {
+    const output: RpnToken[] = [];
+    const operatorStack: Token[] = [];
+
+    for (const token of tokens) {
+      const type = token.type;
+      switch (type) {
+        case 'NUMBER':
+        case 'BOOLEAN':
+        case 'NULL':
+        case 'UNDEFINED':
+        case 'STRING':
+          output.push(token);
+          break;
+        case 'IDENTIFIER':
+          // 識別子（プロパティパスの可能性）をそのまま出力
+          output.push(token);
+          break;
+        case 'OPERATOR':
+          const op1 = token;
+          while (operatorStack.length) {
+            // TODO: 型キャストが必要になるので、Geniericsを強化する
+            const op2 = operatorStack[operatorStack.length - 1] as { type: string, value: string };
+
+            // 括弧内は処理しない
+            if (op2.value === '(') {
+              break;
+            }
+
+            // 優先順位のルールに従う
+            if (
+              (PRECEDENCE[op1.value].associativity === 'left' && PRECEDENCE[op1.value].precedence <= PRECEDENCE[op2.value].precedence)
+              // ||
+              // (PRECEDENCE[op1.value].associativity === 'right' && PRECEDENCE[op1.value].precedence < PRECEDENCE[op2.value].precedence)
+            ) {
+              output.push(operatorStack.pop()!);
+            } else {
+              break;
+            }
+          }
+          operatorStack.push(op1);
+          break;
+        case 'PARENTHESIS':
+          if (token.value === '(') {
+            operatorStack.push(token);
+          } else if (token.value === ')') {
+            let foundLeftParen = false;
+            while (operatorStack.length > 0) {
+              const op = operatorStack.pop()!;
+              if ('value' in op && op.value === '(') {
+                foundLeftParen = true;
+                break;
+              }
+              output.push(op);
+            }
+            if (!foundLeftParen) {
+              throw new Error('Mismatched parentheses');
+            }
+          }
+          break;
+        default:
+          throw new Error(`Unexpected token type: ${type}`);
+      }
+    }
+
+    while (operatorStack.length) {
+      const op = operatorStack.pop()!;
+      if ('value' in op && (op.value === '(' || op.value === ')')) {
+        throw new Error('Mismatched parentheses');
+      }
+      output.push(op);
+    }
+
+    return output;
+  }
+
+  /**
+   * 逆ポーランド記法(Reverse Polish Notation)のトークンを評価する
+   *
+   * @param {RpnToken[]} rpnTokens
+   * @param {Record<string, any>} entity
+   * @returns {boolean}
+   */
+  private evaluateRpn(rpnTokens: RpnToken[], entity: Record<string, any>): boolean {
+    const stack: any[] = [];
+
+    for (const token of rpnTokens) {
+      const type = token.type;
+      switch (type) {
+        case 'NUMBER':
+        case 'BOOLEAN':
+        case 'NULL':
+        case 'UNDEFINED':
+        case 'STRING':
+          if ('value' in token) {
+            stack.push(token.value);
+          }
+          break;
+        case 'IDENTIFIER':
+          stack.push(common.getProperty(entity, token.value));
+          break;
+        case 'OPERATOR':
+          // 単項演算子 '!'
+          if (token.value === '!') {
+            const operand = stack.pop();
+            stack.push(!operand);
+            break;
+          }
+
+          // 二項演算子
+          const right = stack.pop();
+          const left = stack.pop();
+
+          switch (token.value) {
+            case '==': stack.push(left == right); break;
+            case '!=': stack.push(left != right); break;
+            case '===': stack.push(left === right); break;
+            case '!==': stack.push(left !== right); break;
+            case '<': stack.push(left < right); break;
+            case '<=': stack.push(left <= right); break;
+            case '>': stack.push(left > right); break;
+            case '>=': stack.push(left >= right); break;
+            case '&&': stack.push(left && right); break;
+            case '||': stack.push(left || right); break;
+            default: throw new Error(`Unknown operator: ${token.value}`);
+          }
+          break;
+        default:
+          throw new Error(`Unexpected token type in RPN: ${type}`);
+      }
+    }
+
+    if (stack.length !== 1) {
+      throw new Error('Invalid expression');
+    }
+    return !!stack[0];
+  }
+}

package/src/common.ts

@@ -0,0 +1,19 @@
+/**
+ * entityで指定したオブジェクトからドットで連結されたプロパティキーに該当する値を取得する
+ *
+ * @param {Record<string, any>} entity
+ * @param {string} property
+ * @returns {any}
+ */
+export function getProperty(entity: Record<string, any>, property: string): any {
+  const propertyPath = property.split('.');
+  let value = entity;
+  for (const prop of propertyPath) {
+    if (value && value.hasOwnProperty(prop)) {
+      value = value[prop];
+    } else {
+      return undefined;
+    }
+  }
+  return value;
+}

package/src/sql-builder.ts

@@ -1,3 +1,6 @@
+import * as common from './common';
+import { AbstractSyntaxTree } from './abstract-syntax-tree';
+
 type TagType = 'BEGIN' | 'IF' | 'FOR' | 'END' | 'BIND';
 type ExtractValueType<T extends 'string' | 'array' | 'object'>
   = T extends 'string'
@@ -6,6 +9,27 @@ type ExtractValueType<T extends 'string' | 'array' | 'object'>
       ? any[] | undefined
       : Record<string, any> | undefined;
 
+/**
+ * PostgreSQL: $1, $2... 配列
+ * MySQL: ? 配列
+ * SQLite: ?, $name, :name 配列またはオブジェクト
+ * SQL Server: ?, `@name` 配列またはオブジェクト
+ * Oracle: :name オブジェクト
+ *
+ * 以下をサポートする
+ * ・$1, $2 (postgres)
+ * ・? (mysql) SQLite, SQL Serverもこれで代替可能
+ * ・:name (oracle) SQLiteもこれで代替可能
+ */
+type BindType = 'postgres' | 'mysql' | 'oracle';
+
+type BindParameterType<T extends 'postgres' | 'mysql' | 'oracle'>
+  = T extends 'postgres'
+    ? any[]
+    : T extends 'mysql'
+      ? any[]
+      : Record<string, any>;
+
 interface TagContext {
   type: TagType;
   match: string;
@@ -90,6 +114,48 @@ export class SQLBuilder {
     return result;
   }
 
+  /**
+   * 指定したテンプレートにエンティティの値をバインド可能なプレースホルダー付きSQLを生成し、
+   * バインドパラメータと共にタプル型で返却する
+   *
+   * @param {string} template
+   * @param {Record<string, any>} entity
+   * @param {BindType} bindType
+   * @returns {[string, BindParameterType<T>]}
+   */
+  public generateParameterizedSQL<T extends BindType>(template: string, entity: Record<string, any>, bindType: T): [string, BindParameterType<T>] {
+
+    let bindParams: BindParameterType<T>;
+    switch (bindType) {
+      case 'postgres':
+      case 'mysql':
+        bindParams = [] as unknown as BindParameterType<T>;
+        break;
+      case 'oracle':
+        bindParams = {} as BindParameterType<T>;
+        break;
+      default:
+        throw new Error(`Unsupported bind type: ${bindType}`);
+    }
+
+    /**
+     * 「\/* *\/」で囲まれたすべての箇所を抽出
+     */
+    const allMatchers = template.match(this.REGEX_TAG_PATTERN);
+    if (!allMatchers) {
+      return [template, bindParams];
+    }
+
+    const tagContexts = this.createTagContexts(template);
+    const pos: SharedIndex = { index: 0 };
+    const result = this.parse(pos, template, entity, tagContexts, {
+      bindType: bindType,
+      bindIndex: 1,
+      bindParams: bindParams
+    });
+    return [result, bindParams];
+  }
+
   /**
    * テンプレートに含まれるタグ構成を解析してコンテキストを返す
    *
@@ -101,57 +167,56 @@ export class SQLBuilder {
     /**
      * 「\/* *\/」で囲まれたすべての箇所を抽出
      */
-    const rootMatcher = template.match(this.REGEX_TAG_PATTERN);
+    const matches = template.matchAll(this.REGEX_TAG_PATTERN);
 
     // まず最初にREGEX_TAG_PATTERNで解析した情報をそのままフラットにTagContextの配列に格納
     let pos = 0;
     const tagContexts: TagContext[] = [];
-    if (rootMatcher) {
-      for (const matchContent of rootMatcher) {
-        const index = template.indexOf(matchContent, pos);
-        pos = index + 1;
-        const tagContext: TagContext = {
-          type: null as unknown as TagType,
-          match: matchContent,
-          contents: '',
-          startIndex: index,
-          endIndex: index + matchContent.length,
-          sub: [],
-          parent: null,
-          status: 0
-        };
-        switch (true) {
-          case matchContent === '/*BEGIN*/': {
-            tagContext.type = 'BEGIN';
-            break;
-          }
-          case matchContent.startsWith('/*IF'): {
-            tagContext.type = 'IF';
-            const contentMatcher = matchContent.match(/^\/\*IF\s+(.*?)\*\/$/);
-            tagContext.contents = contentMatcher && contentMatcher[1] || '';
-            break;
-          }
-          case matchContent.startsWith('/*FOR'): {
-            tagContext.type = 'FOR';
-            const contentMatcher = matchContent.match(/^\/\*FOR\s+(.*?)\*\/$/);
-            tagContext.contents = contentMatcher && contentMatcher[1] || '';
-            break;
-          }
-          case matchContent === '/*END*/': {
-            tagContext.type = 'END';
-            break;
-          }
-          default: {
-            tagContext.type = 'BIND';
-            const contentMatcher = matchContent.match(/\/\*(.*?)\*\//);
-            tagContext.contents = contentMatcher && contentMatcher[1] || '';
-            // ダミー値の終了位置をendIndexに設定
-            const dummyEndIndex = this.getDummyParamEndIndex(template, tagContext);
-            tagContext.endIndex = dummyEndIndex;
-          }
+    for (const match of matches) {
+      const matchContent = match[0];
+      const index = match.index;
+      pos = index + 1;
+      const tagContext: TagContext = {
+        type: 'BIND', // ダミーの初期値。後続処理で適切なタイプに変更する。
+        match: matchContent,
+        contents: '',
+        startIndex: index,
+        endIndex: index + matchContent.length,
+        sub: [],
+        parent: null,
+        status: 0
+      };
+      switch (true) {
+        case matchContent === '/*BEGIN*/': {
+          tagContext.type = 'BEGIN';
+          break;
+        }
+        case matchContent.startsWith('/*IF'): {
+          tagContext.type = 'IF';
+          const contentMatcher = matchContent.match(/^\/\*IF\s+(.*?)\*\/$/);
+          tagContext.contents = contentMatcher && contentMatcher[1] || '';
+          break;
+        }
+        case matchContent.startsWith('/*FOR'): {
+          tagContext.type = 'FOR';
+          const contentMatcher = matchContent.match(/^\/\*FOR\s+(.*?)\*\/$/);
+          tagContext.contents = contentMatcher && contentMatcher[1] || '';
+          break;
+        }
+        case matchContent === '/*END*/': {
+          tagContext.type = 'END';
+          break;
+        }
+        default: {
+          tagContext.type = 'BIND';
+          const contentMatcher = matchContent.match(/\/\*(.*?)\*\//);
+          tagContext.contents = contentMatcher && contentMatcher[1] || '';
+          // ダミー値の終了位置をendIndexに設定
+          const dummyEndIndex = this.getDummyParamEndIndex(template, tagContext);
+          tagContext.endIndex = dummyEndIndex;
         }
-        tagContexts.push(tagContext);
       }
+      tagContexts.push(tagContext);
     }
 
     // できあがったTagContextの配列から、BEGEN、IFの場合は次の対応するENDが出てくるまでをsubに入れ直して構造化し、
@@ -218,9 +283,17 @@ export class SQLBuilder {
    * @param {string} template
    * @param {Record<string, any>} entity
    * @param {TagContext[]} tagContexts
+   * @param {*} [options]
+   *   ├ bindType BindType
+   *   ├ bindIndex number
+   *   ├ bindParams BindParameterType<T>
    * @returns {string}
    */
-  private parse(pos: SharedIndex, template: string, entity: Record<string, any>, tagContexts: TagContext[]): string {
+  private parse<T extends BindType>(pos: SharedIndex, template: string, entity: Record<string, any>, tagContexts: TagContext[], options?: {
+    bindType: T,
+    bindIndex: number,
+    bindParams: BindParameterType<T>
+  }): string {
     let result = '';
     for (const tagContext of tagContexts) {
       switch (tagContext.type) {
@@ -228,7 +301,7 @@ export class SQLBuilder {
           result += template.substring(pos.index, tagContext.startIndex);
           pos.index = tagContext.endIndex;
           // BEGINのときは無条件にsubに対して再帰呼び出し
-          result += this.parse(pos, template, entity, tagContext.sub);
+          result += this.parse(pos, template, entity, tagContext.sub, options);
           break;
         }
         case 'IF': {
@@ -237,7 +310,7 @@ export class SQLBuilder {
           if (this.evaluateCondition(tagContext.contents, entity)) {
             // IF条件が成立する場合はsubに対して再帰呼び出し
             tagContext.status = 10;
-            result += this.parse(pos, template, entity, tagContext.sub);
+            result += this.parse(pos, template, entity, tagContext.sub, options);
           } else {
             // IF条件が成立しない場合は再帰呼び出しせず、subのENDタグのendIndexをposに設定
             const endTagContext = tagContext.sub[tagContext.sub.length - 1];
@@ -255,7 +328,10 @@ export class SQLBuilder {
             for (const value of array) {
               // 再帰呼び出しによりposが進むので、ループのたびにposを戻す必要がある
               pos.index = tagContext.endIndex;
-              result += this.parse(pos, template, { [bindName]: value }, tagContext.sub);
+              result += this.parse(pos, template, {
+                ...entity,
+                [bindName]: value
+              }, tagContext.sub, options);
               // FORループするときは各行で改行する
               result += '\n';
             }
@@ -282,8 +358,61 @@ export class SQLBuilder {
         case 'BIND': {
           result += template.substring(pos.index, tagContext.startIndex);
           pos.index = tagContext.endIndex;
-          const value = this.extractValue(tagContext.contents, entity);
-          result += value == null ? '' : String(value);
+          const value = common.getProperty(entity, tagContext.contents);
+          switch (options?.bindType) {
+            case 'postgres': {
+              // PostgreSQL形式の場合、$Nでバインドパラメータを展開
+              if (Array.isArray(value)) {
+                const placeholders: string[] = [];
+                for (const item of value) {
+                  placeholders.push(`$${options.bindIndex++}`);
+                  (options.bindParams as any[]).push(item);
+                }
+                result += `(${placeholders.join(',')})`; // IN ($1,$2,$3)
+              } else {
+                result += `$${options.bindIndex++}`;
+                (options.bindParams as any[]).push(value);
+              }
+              break;
+            }
+            case 'mysql': {
+              // MySQL形式の場合、?でバインドパラメータを展開
+              if (Array.isArray(value)) {
+                const placeholders: string[] = [];
+                for (const item of value) {
+                  placeholders.push('?');
+                  (options.bindParams as any[]).push(item);
+                }
+                result += `(${placeholders.join(',')})`; // IN (?,?,?)
+              } else {
+                result += '?';
+                (options.bindParams as any[]).push(value);
+              }
+              break;
+            }
+            case 'oracle': {
+              // Oracle形式の場合、名前付きバインドでバインドパラメータを展開
+              if (Array.isArray(value)) {
+                const placeholders: string[] = [];
+                for (let i = 0; i < value.length; i++) {
+                  // 名前付きバインドで配列の場合は名前が重複する可能性があるので枝番を付与
+                  const paramName = `${tagContext.contents}_${i}`; // :projectNames_0, :projectNames_1
+                  placeholders.push(`:${paramName}`);
+                  (options.bindParams as Record<string, any>)[paramName] = value[i];
+                }
+                result += `(${placeholders.join(',')})`; // IN (:p_0,:p_1,:p3)
+              } else {
+                result += `:${tagContext.contents}`;
+                (options.bindParams as Record<string, any>)[tagContext.contents] = value;
+              }
+              break;
+            }
+            default: {
+              // generateSQLの場合
+              const escapedValue = this.extractValue(tagContext.contents, entity);
+              result += escapedValue ?? '';
+            }
+          }
           break;
         }
         default:
@@ -375,16 +504,9 @@ export class SQLBuilder {
    */
   private evaluateCondition(condition: string, entity: Record<string, any>): boolean {
     try {
-      const evaluate = new Function('entity', `
-        with (entity) {
-          try {
-            return ${condition};
-          } catch(error) {
-            return false;
-          }
-        }`
-      );
-      return !!evaluate(entity);
+      const ast = new AbstractSyntaxTree();
+      const result = ast.evaluateCondition(condition, entity);
+      return result;
     } catch (error) {
       console.warn('Error evaluating condition:', condition, entity, error);
       return false;
@@ -393,6 +515,7 @@ export class SQLBuilder {
 
   /**
    * entityからparamで指定した値を文字列で取得する
+   * entityの値がstringの場合、SQLインジェクションの危険のある文字はエスケープする
    *
    * * 返却する値が配列の場合は丸括弧で括り、各項目をカンマで区切る
    *   ('a', 'b', 'c')
@@ -412,15 +535,7 @@ export class SQLBuilder {
     responseType?: T
   }): ExtractValueType<T> {
     try {
-      const propertyPath = property.split('.');
-      let value: any = entity;
-      for (const prop of propertyPath) {
-        if (value && value.hasOwnProperty(prop)) {
-          value = value[prop];
-        } else {
-          return undefined as ExtractValueType<T>;
-        }
-      }
+      const value = common.getProperty(entity, property);
       let result = '';
       switch (options?.responseType) {
         case 'array':