I want to dynamically filter a JDBI query.
The a list of parameters is passed from the UI via REST e.g.
http://localhost/things?foo=bar&baz=tazhttp://localhost/things?foo=buzWhich is (clumsily) built (Jersey @Context UriInfo::getQueryParameters -> StringBuilder) to something like this:
WHERE foo=bar AND baz=tazAnd passed to JDBI which looks like this:
@UseStringTemplate3StatementLocatorpublic interface ThingDAO { @SqlQuery("SELECT * FROM things <where>) List<Thing> findThingsWhere(@Define("where") String where);}As far as I understand the current implementation is vulnerable to SQL injection.I can obviously sanitize the column names but not the values. 1
There must be a more elegant and SQL Injection proof way of doing this.