Handling dynamic queries with Spring

Question

The problem I'm trying to solve here is, filtering the table using dynamic queries supplied by the user. Entities needed to describe the problem:

Table: run_events

Columns: user_id, distance, time, speed, date, temperature, latitude, longitude

The problem statement is to get the run_events for a user, based on a filterQuery. Query is of the format,

((date = '2018-06-01') AND ((distance < 20) OR (distance > 10))

And this query can combine multiple fields and multiple AND/OR operations.

One approach to solving this is using hibernate and concatenating the filterQuery with your query.

"select * from run_events where user_id=:userId and "+filterQuery;

This needs you to write the entire implementation and use sessions, i.e.

        String q = select * from run_events where user_id=:userId and "+filterQuery;

        Query query = getSession().createQuery(q);
        query.setParameter("userId", userId);
 

        List<Object[]> result = query.list();
        List<RunEvent> runEvents = new ArrayList<>();
        for(Object[] obj: result){
            RunEvent datum = new RunEvent();
            int index = -1;
            datum.setId((long) obj[++index]);
            datum.setDate((Timestamp) obj[++index]);
            datum.setDistance((Long) obj[++index]);
            datum.setTime((Long) obj[++index]);
            datum.setSpeed((Double) obj[++index]);
            datum.setLatitude((Double) obj[++index]);
            datum.setLongitude((Double) obj[++index]);
            datum.setTemperature((Double) obj[++index]);
            runEvents.add(datum);
        }

This just doesn't seem very elegant and I want to use the @Query annotation to do this i.e.

 @Query(value = "select run_event from RunEvent where user_id = :userId and :query order by date asc")
    List<RunEvent> getRunningData(@Param("userId") Long userId,
                                      @Param("query") String query,
                                   );

But this doesn't work because query as a parameter cannot be supplied that way in the query.

Is there a better, elegant approach to getting this done using JPA?

Using Specifications and Predicates seems very complicated for this sort of a query.

Answer 1

To answer the plain question: This is not possible with @Query.

It is also in at least 99% of the cases a bad design decision because constructing SQL queries by string concatenation using strings provided by a user (or any source not under tight control) opens you up for SQL injection attacks.

Instead you should encode the query in some kind of API (Criteria, Querydsl, Query By Example) and use that to create your query. There are plenty of questions and answers about this on SO so I won't repeat them here. See for example Dynamic spring data jpa repository query with arbitrary AND clauses

If you insist on using a SQL or JPQL snippet as input a custom implementation using String concatenation is the way to go.

Answer 2

This opens up attack for SQL injection. Maybe that’s why this feature is not possible.

It is generally a bad idea to construct query by appending random filters at the end and running them.

What if the queryString does something awkward like

Select * from Foo where ID=1234 or true;

thereby returning all the rows and bringing a heavy load on DB possibly ceasing your whole application?

Solution: You could use multiple Criteria for filtering it dynamically in JPA, but you’ll need to parse the queryString yourself and add the necessary criteria.

Answer 3

You can use kolobok and ignore fields with null values. For example create one method like bellow

findByUserIdAndDistanceaLessThanAndDistancebGreaterThan....(String userid,...)

and call that method only with the filter parameters while other parameters are null