User writes this
SELECT * FROM profile WHERE email='{{context.arguments.email}}'
{
arguments: {
email: "john@example.com"
}
}
Template
Context
SELECT * FROM profile WHERE email='john@example.com'
Database
Result
SELECT * FROM profile WHERE email='{{context.arguments.email}}'
{
arguments: {
email: "john@example.com"
}
}
Template
Context
SELECT * FROM profile WHERE email='john@example.com'
Database
Result
Not easy to write
Insecure
a; DROP TABLE profile
Hard to check if query was correct or if there were errors
Can only write one statement
Option 1 and 3 both involve using a library called Knex
1. Fix injection problems with Current Approach
SELECT * FROM profile WHERE email=?
[$context.arguments.email]
Query
Args
SELECT * FROM profile WHERE email='john@example.com'
Database
Result
Context
2. Allow users to write some declarative meta language
{
"profile": {
"where": {
"email": "$context.arguments.email"
}
}
}
Context
SELECT * FROM profile WHERE email='john@example.com'
???
Approach 3 - Allow Users to Write Code
return db.select().from('meme').orderBy('id', 'desc')
JavaScript
{
db: Knex,
resolve: {
args: { ... },
// more graphql stuff
}
}
Sandbox
VM
Result
Multiple Queries
Custom Business Logic
while(true) {}
Three approaches: