Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Exactly as the other answer said, but here more spelt out. I think the crux of your question is really 'show me how to add a restriction'. That is my interpretation anyhow.</p> <p>You need to decode each restriction into its own field.</p> <p>You need to know the Java entity property name for each field.</p> <p>Then build a Map of these 2 things, the key is the known static Java entity property name and the value is the URL decoded data (possibly with type conversion).</p> <pre><code>private Map&lt;String, Object&gt; queryParameters; private List&lt;Vehicle&gt; vehicles; void onActivate(EventContext context) { //Count is 6 - make/ford/model/focus/year/2009 int count = context.getCount(); queryParameters = new HashMap&lt;String,Object&gt;(); if (count &gt; 0) { int i; for (i = 0; (i + 1) &lt; count; i += 2) { String name = context.get(String.class, i); String value = context.get(String.class, i + 1); Object sqlValue = value; if("foobar".equals(name)) { // sometime you don't want a String type for SQL compasition // so convert it sqlValue = UtilityClass.doTypeConversionForFoobar(value); } else if("search".equals(name) || "model".equals(name) || "year".equals(name)) { // no-op this is valid 'name' } else if("make".equals(name)) { // this is a suggestion depends on your project conf name = "vehicleMake.name"; } else { continue; // ignore values we did not expect } // FIXME: You should validate all 'name' values // to be valid and/or convert to Java property names here System.out.println("name " + name); System.out.println("value " + value); this.queryParameters.put(name, sqlValue); } } Criteria crit = this.session.createCriteria(Vehicle.class) for(Map.Entry&lt;String,Object&gt; e : this.queryParameters.entrySet()) { String n = e.getKey(); Object v = e.getValue(); // Sometimes you don't want a direct compare 'Restructions.eq()' if("search".equals(n)) crit.add(Restrictions.like(n, "%" + v + "%")); else // Most of the time you do crit.add(Restrictions.eq(n, v)); } this.vehicles = crit.list(); // run query } </code></pre> <p>See also <a href="https://docs.jboss.org/hibernate/orm/3.5/reference/en/html/querycriteria.html" rel="nofollow">https://docs.jboss.org/hibernate/orm/3.5/reference/en/html/querycriteria.html</a></p> <p>With the above there should be no risk of SQL injection, since the "name" and "n" part should be 100% validated against a known good list. The "value" and "v" is correctly escaped, just like using SQL position placeholder '?'.</p> <p>E&amp;OE</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload