You don't want anyone to be able to execute any code on your server.
If I'm able to send you any sql query to execute, I can perform anything I want. For instance I could send "DELETE * FROM USERS;" or anything similar
Yes sure, but even if the user is authorized, I don't think we should simply let him run any query of his choice directly on the database.
RESTful services are, to me, a good way of orchestrating backend calls, and it has its pros and cons versus GraphQL.
To be honest I don't know GraphQL enough though !
Most db -> graphql layers (like hasura or postgraphile) respect and/or even take into account the security policies and roles of the db when generating the graphql schema (basically the list of types, queries, and mutations that you can use to build graphql queries).
A graphql query (basically a GET request) or mutations (basically a POST request) would never simply be mapped to a raw sql query.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
You don't want anyone to be able to execute any code on your server.
If I'm able to send you any sql query to execute, I can perform anything I want. For instance I could send "DELETE * FROM USERS;" or anything similar
For sure there needs to be authentication and authorization on the database beforehand. There are also REST interfaces :-)
Yes sure, but even if the user is authorized, I don't think we should simply let him run any query of his choice directly on the database.
RESTful services are, to me, a good way of orchestrating backend calls, and it has its pros and cons versus GraphQL.
To be honest I don't know GraphQL enough though !
Most db -> graphql layers (like hasura or postgraphile) respect and/or even take into account the security policies and roles of the db when generating the graphql schema (basically the list of types, queries, and mutations that you can use to build graphql queries).
A graphql query (basically a GET request) or mutations (basically a POST request) would never simply be mapped to a raw sql query.