This is a class of problem I have yet to find a good way to deal with handling and wanted some opinions. I have a table with data and above it 12 different drop downs and 1 text field all of which contribute to the WHERE clause of the query. For security and caching sake I want to try to convert this to a named query but the only two ways I can think of
- Use query strings - I still leave myself open to SQL injection (albeit less but still there)
- Make a named query per filter combination - with 13 different options for the user, this would mean hundreds of named queries.
To make it concrete here are the filters available -
All is selected for the dropdown, I don’t need any where clause for that item, but if something for the dropdown
Contact is selected for instance, then I would want
Any thoughts on a clean approach that doesn’t use query strings? I hesitate to make the filters work via scripting as I have to think my database can do a WHERE clause filter much faster than jython could iterate through tens thousands of records. All opinions welcome.