I would recommend having a separation of principle. Here is a simple structure to start from.
Controller: Receives your DTO e.g. "Book".
Mapper: Translates a DTO to a DAO, later you can also a Sanitizer somewhere at this level.
Repository: Saves into db. e.g. dao.insertBook().
Controller should be a simple interface to declare the endpoint at best it should even do some exception handling. Inserting your DTO as a DAO can cause some issues, security wise especially.