从HTTP GET请求参数生成搜索SQL

Question

We have a Java web app with a hibernate backend that provides REST resources. Now we're facing the task to implement a generic search that is controlled by the query parameters in our get request:

some/rest/resource?name_like=foo&created_on>=2012-09-12&sort_by_asc=something

or similar.

• We don't want to predefine all possible parameters(name, created_on, something)
• We don't want to have to analyze the request String to pick up control characters (like >=)
• nor do we don't want to implement our own grammar to reflect things like _eq _like _goe and so on (as an alternative or addition to control characters)

Is there some kind of framework that provides help with this mapping from GET request parameters to database query ?

Since we know which REST resource we're GETing we have the entity / table (select). It probably will also be necessary to predefine the JOINs that will be executed in order to limit the depths of a search.

But other than that we want the REST consuming client to be able to execute any search without us having to predefine how a certain parameter and a certain control sequence will get translated into a search.

---

Right now I'm trying some semi automatic solution building on Mysemas QueryDSL. It allows me to predefine the where columns and sort columns and I'm working on a simple string comparison to detect things like '_like', '_loe', ... in a parameter and then activate the corresponding predefined part of the search. Not much different from an SQL String except that it's SQL injection proof an type save.

However I still have to tell my search object that it should be able to potentially handle a query "look for a person with name like '???'". Right now this is okay as we only consume the REST resource internally and isolate the actual search creation quite well. If we need to make a search do more we can just add more predefinitions for now. But should we make our REST resources public at some time in the future that won't be so great.

---

So we're wondering, there has to be some framework or best practice or recommended solution to approaching this. We're not the first who want this. Redmine for example offers all of its resource via a REST interface and I can query at will. Or facebook with its Graph API. I'm sure those guys didn't just predefine all possibilities but rather created some generic grammar. We'd like to save as much as possible on that effort and use available solutions instead.

Like I said, we're using Hibernate so an SQL or HQL solution would be fine or anything that builds on entities like QueryDsl. (Also there's the security issue concerning SQL injection)

Any suggestions? Ideas? Will we just have to do it all ourselves?

Answer 1

From a .NET perspective the closest thing I can think of would be a WCF data service.

Take a look at the uri-conventions specified on the OData website. There is some good information on the section on 4.5 Filter System Query Option . You'll notice that a lot of the examples on this site are .NET related, but there are other suggestions for getting this to work with Java.