Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parameterized queries #52

Closed
bnyeggen opened this issue Mar 7, 2014 · 4 comments
Closed

Parameterized queries #52

bnyeggen opened this issue Mar 7, 2014 · 4 comments

Comments

@bnyeggen
Copy link
Collaborator

bnyeggen commented Mar 7, 2014

Using tiedot in embedded mode, one often wants to create a query based on user input. There isn't really a safe / easy way to do this at the moment. Concatenating user-supplied strings could embed things that muck up your JSON (analogous to SQL injection). Substituting a string in your final marshaled JSON object requires you to write a decent amount of specific code & casts for each parameterization as you traverse what the compiler thinks is a map[string]interface{}.

My preferred solution would be to have a function EvalParameterizedQuery(q string, src *Col, result *map[uint64]struct{}, params ...string) (err error) that interpolates ? to the parameters (considering them as strings) and then marshals the JSON internally. Since a raw ? embedded in JSON, without wrapping in a string, is a syntax error, this should be unambiguous.

One would have to do quote-counting to identify the un-string-wrapped ?'s, mindful of the possibility of escaped " characters.

My understanding is that given you're able to identify the insertion point as valid, it's sufficient to wrap the user-supplied string in double-quotes and escape the characters:

"
\
control characters (<U+0020)

If this is an acceptable solution, I'm willing to write this up (although it may take me some time).
@HouzuoGuo
Copy link
Owner

Hello!
That sounds like a great idea.

Let me see if I got it exactly:
The query string will use "?" as parameter placeholders; then by using string manipulation, we remove occurrences of "?" and replace them by parameter values serialized into JSON string.

There should not be ambiguity around "?", it should be simple and straight forward to do so. What's your opinion?

@bnyeggen
Copy link
Collaborator Author

bnyeggen commented Mar 7, 2014

Technically it's the appearance of the raw character ?, outside of a string. So the call:
EvalParameterizedQuery({"eq": "New Go release", "in": [?]}, c, r, "Title")
would render the final JSON as:
{"eq": "New Go release", "in": ["Title"]}

That initial query string isn't valid JSON, so the parse should be unambiguous. It's more complicated to track things like:
{"eq": "New Go release", "in": ["\"?",?]}
where one of the ? appears as part of a valid string which also embeds escaped quotes, and one is an actual parameter stub outside of any strings, but it should be doable.

@HouzuoGuo
Copy link
Owner

That's cool, what would be an easy way to identify ? outside string?

@bnyeggen bnyeggen mentioned this issue Mar 8, 2014
Merged
@bnyeggen
Copy link
Collaborator Author

Closed w/ PR 53

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnyeggen @HouzuoGuo