JPA query - how to mix arbitrary query strings and CriteriaBuilder
Question
I need to perform a query of the form
SELECT dontcare FROM Bar b WHERE x = y AND expr
- x is the name of any field in Bar, y is a specific value. These come via a Servlet and cannot be trusted.
- expr is a project specific filter to change the scope of the query involving other fields - this is trusted and comes from a configuration file and could be quite complex.
An unsafe approach would be
String qStr = "SELECT foo FROM Bar b WHERE " + x " = " + y " AND " + expr
However x and y are not trusted source so leaves open to injection attack. I've found CriteriaBuilder, and made a programmatic build of the "x = y" part that works fine, but cannot find how to append the "AND expr".
CriteriaBuilder cb = em.getCriteriaBuilder();
CriteriaBuilder<Bar> q = cb.createQuery(Foo.class);
Root<Bar> root = q.from(Bar.class);
Predicate p1 = cb.equals(root.get(x), y);
Predicate p2 = <====== help needed here, how can I use expr
q.where(cb.and(p1, p2));
Query query = em.createQuery(q);
Any ideas? I've spent a good amount of time looking through tutorials and the javadocs for Expression, Predicate, Query etc.
1 answers
solution1
1 ACCPTED 2012-05-14 10:07:37
With the criteria api you can create conjunctions, which contain a number of predicates that all have to be true.
If you want OR, you can use disjunctions.
something like:
Criteria crit = session.createCriteria(Product.class);
Conjunction conjunction = Restrictions.conjunction();
conjunction.add(Restrictions.isNull("location"));
conjunction.add(Restrictions.eq("location", ""));
crit.add(conjunction);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.