I've recently been exploring DropWizard which comes bundled with JDBI and quickly came across the same problem. Unfortunately JDBI has lackluster documentation (JavaDoc and some sample unit tests on it's git repository don't cut it alone) which is disappointing.
Here's what I found that achieves a dynamic order in a Sql Object API for JDBI based on my sample DAO:
@UseStringTemplate3StatementLocator
public interface ProductsDao {
@RegisterMapperFactory(BeanMapperFactory.class) // will map the result of the query to a list of Product POJOs(Beans)
@SqlQuery("select * from products order by <orderby> <order> limit :limit offset :offset")
List<Product> getProducts(@Define("orderby") String orderBy, @Define("order") String order,
@Bind("limit") int limit, @Bind("offset") int offset);
@SqlQuery("select count(*) from products")
int getProductsCount();
}
@UseStringTemplate3StatementLocator - this annotation is what allows us to use the <arg>
syntax in the queries. These args are going to be replaced with whatever value we provide via the @Define
annotation.
To be able to use this feature I had to additionally add this dependency to my pom.xml
file:
<dependency>
<groupId>antlr</groupId>
<artifactId>stringtemplate</artifactId>
<version>2.3b6</version> <!-- I am not sure if this specific version is meant to be used though -->
</dependency>
SQL INJECTION WARNING
It should be noted that this opens us up to Sql Injection
since the values are directly inserted to the query. (In contstrast to :arg
syntax in the query and @Bind
annotation which uses prepared statements and protects against sql injection). At the very least you should sanitize the parameters that are going to be used for the @Define
fields. (Simple example for DropWizard below).
@Path("/products")
@Produces(MediaType.APPLICATION_JSON)
public class ProductsResource {
private static ImmutableSet<String> orderByChoices = ImmutableSet.of("id", "name", "price", "manufactureDate");
private final ProductsDao dao;
public ProductsResource(ProductsDao dao) {
this.dao = dao;
}
@GET
// Use @InjectParam to bind many query parameters to a POJO(Bean) instead.
// https://jersey.java.net/apidocs/1.17/jersey/com/sun/jersey/api/core/InjectParam.html
// i.e. public List<Product> index(@InjectParam ProductsRequest request)
// Also use custom Java types for consuming request parameters. This allows to move such validation/sanitization logic outside the 'index' method.
// https://jersey.java.net/documentation/1.17/jax-rs.html#d4e260
public List<Product> index(@DefaultValue("id") @QueryParam("orderby") String orderBy,
@DefaultValue("asc") @QueryParam("order") String order,
@DefaultValue("20") @QueryParam("perpage") IntParam perpage,
@DefaultValue("0") @QueryParam("page") IntParam page)
int limit, offset;
order = order.toLowerCase();
orderBy = orderBy.toLowerCase();
if (!orderByChoices.contains(orderBy)) orderBy = "id"; //sanitize <orderby>
if (order != "asc" && order != "desc") order = "asc"; //sanitize <order>
limit = perpage.get();
offset = page.get() < 0 ? 0 : page.get() * limit;
return dao.getProducts(orderBy, order, limit, offset);
}
}
@Bind("foo") String foo
will not substitute the string into the query using:foo
? or if you have found documentation that covers this? – Griffin