@ElVar

Command method param extension

Marks parameter as el variable (variables are substituted in query before execution).

@Query("select from Model where ${prop} = ?")
List<Model> findBy(@ElVar("prop") String prop, String value);

Any type could be used for variable. Value is converted to string using object.toString. Null value converted to empty string ("").

If Class used as variable then only class name will be used, for example:

@Query("select from ${model}")
List<Model> findAll(@ElVar("model") Class model);

It is safe to use Class, Enum, Number (int, long etc), Character types, because they not allow sql injection. But when string or raw object used as value, you can define a list of allowed values to avoid injection:

@Query("select from Model where ${prop} = ?")
List<Model> findAll(@ElVar(value = "prop", allowedValues = {"name", "nick"}) String prop, String value);

Now if provided value is not "name" or "nick" exception will be thrown.

If you use String variable without list of allowed values, warning will be shown in log (possible injection). If you 100% sure that it's safe, you can disable warning:

@Query("select from Model where ${cond}")
List<Model> findWhen(@ElVar(value = "cond", safe = true) String cond);
...
repository.findWhen("name='luke' and nick='light'")

Also, safe marker documents method safety (kind of "yes, I'm sure").