To prevent from SQL injection, generally you’ll want to use a query with placeholders. The querying from the SDK section in the docs has a brief example on this.
In your code example, I believe the string supplied by searchParams.getSampleId() could introduce a side effect. It’s hard to say exactly the possibilties, but I believe one problem you could have with the above is inserting a subquery since that is valid in a WHERE clause. That may expose data you didn’t mean to be exposed or have another side effect.
By using placeholders, the statement will be parsed for execution by cbq-engine, and then the parameters are applied later using cbq-engine’s API for this.
The .adhoc() parameter on the query will have the Java SDK automatically set up prepared statements for the query and execute them once prepared, which are more of a performance optimization. You can have a combination of parameterized/placeholders and prepared statements, or both independently.
By the way, there is a .toString() on the query if you want to log it to have @geraldss take a look.