I need to perform a query of the form
SELECT dontcare FROM Bar b WHERE x = y AND expr
An unsafe approach would be
String qStr = "SELECT foo FROM Bar b WHERE " + x " = " + y " AND " + expr
However x and y are not trusted source so leaves open to injection attack. I've found CriteriaBuilder, and made a programmatic build of the "x = y" part that works fine, but cannot find how to append the "AND expr".
CriteriaBuilder cb = em.getCriteriaBuilder();
CriteriaBuilder<Bar> q = cb.createQuery(Foo.class);
Root<Bar> root = q.from(Bar.class);
Predicate p1 = cb.equals(root.get(x), y);
Predicate p2 = <====== help needed here, how can I use expr
q.where(cb.and(p1, p2));
Query query = em.createQuery(q);
Any ideas? I've spent a good amount of time looking through tutorials and the javadocs for Expression, Predicate, Query etc.
With the criteria api you can create conjunctions, which contain a number of predicates that all have to be true.
If you want OR, you can use disjunctions.
something like:
Criteria crit = session.createCriteria(Product.class);
Conjunction conjunction = Restrictions.conjunction();
conjunction.add(Restrictions.isNull("location"));
conjunction.add(Restrictions.eq("location", ""));
crit.add(conjunction);