我有此代码:
private static Specification<Entity> caseInsensitiveLike(SingularAttribute<Entity, String> field, String searchParameter) {
return (root, query, cb) -> {
Predicate predicate = null;
if (searchParameter != null) {
predicate = cb.like(
cb.upper(root.get(field)),
"%" + searchParameter.toUpperCase() + "%");
}
query.orderBy(cb.desc(root.get(ExternalPatientEntity_.dateCreated)));
return predicate;
};
}
我是否正确地将未受控制的客户端提供的输入放入内置查询中,或者将其设置为jdbc语句的参数?