I’m exposing a more or less public API that allows the user to query datasets from a database. Since the user will need to filter out specific datasets I’m tempted to accept the WHERE-part of the SELECT statement as an API parameter. Thus the user could perform queries as complex as she’d like without worrying about a cluttered API interface.
I’m aware of the fact that I would have to catch SQL-injection attempts.
Do you think that this would circumvent the purpose of an API wrapping a database too much or would you consider this a sane approach?
In general, I’d recommend against letting them embed actual sql in their requests
You can allow them to submit
whereconditions in their request pretty easily:or something similar.
The value of doing this is muli-fold:
I think the last point is actually most important. The day will come when you’ll need to make changes to the underlying schema of the database. Eventually, it will happen. At that point you’ll appreciate having some ‘translation’ layer between what the users send in and the queries. It will allow you to isolate the users from actual changes in the underlying database.
The API should present an ‘abstracted’ version of the actual tables themselves that meet the users needs and isolate them from changes to the actual underlying database.