Title: Support prepared statements and parameters by vhiairrassary · Pull Request #21 · Query-farm/httpserver · GitHub
Open Graph Title: Support prepared statements and parameters by vhiairrassary · Pull Request #21 · Query-farm/httpserver
X Title: Support prepared statements and parameters by vhiairrassary · Pull Request #21 · Query-farm/httpserver
Description: Hello, I need to support untrusted inputs so I have created this PR as a starting point to see if you would be interested to have this feature merged upstream, and if yes, to discuss about the details. How it works If there is no parameter then execution did not change If there is at least one parameter then I prepare a statement, extract the named values (this PoC does not support positional parameters, but it can be easily done. As a personal note I find them confusing, and even saw they are a syntactic sugar for named parameters under the hood) and execute the prepared statement How to test it It can be tested using: make DUCKDB_HTTPSERVER_DEBUG=1 \ DUCKDB_HTTPSERVER_FOREGROUND=1 \ duckdb -unsigned \ -c "FORCE INSTALL httpserver FROM './build/release/repository';" \ -c "LOAD httpserver;" \ -c "SELECT 890;" \ -c "SELECT httpserve_start('0.0.0.0', 4000, '');" and curl -X POST -d 'SELECT typeof($ABC), $abc, typeof($DEF), $def' -g 'http://localhost:4000?parameters={"abc":{"type":"TEXT","value":"7"},"def":{"type":"BOOLEAN","value":true}}' # {"typeof($ABC)":"VARCHAR","$abc":"7","typeof($DEF)":"BOOLEAN","$def":"true"} Questions/notes I am relying on exceptions to split the code in separated functions and make it easier to read (see the refactored CheckAuthentication and ExtractFormat functions for example). They are not on the happy path and should not impact performances (assuming the database is not publicly available, which sounds reasonable) I tried to follow what is done by Snowflake For the PoC I expect the query's parameters to be a JSON string in the HTTP parameter parameter. This sounds weird and I would be happy to move all the parameters (format, query/q and parameters) inside a single JSON body. Wdyt? We could either: keep the GET (with format and query/q), the POST (with format and query/q) and POST with a JSON body (with format and query/q and parameters) or keep the GET as above and unify both POST with a JSON body (with format and query/q and parameters), but it would be a breaking change I am not sure if I need to do something to drop the prepared statement (In SQL there is an explicit DEALLOCATE operation)
Open Graph Description: Hello, I need to support untrusted inputs so I have created this PR as a starting point to see if you would be interested to have this feature merged upstream, and if yes, to discuss about the deta...
X Description: Hello, I need to support untrusted inputs so I have created this PR as a starting point to see if you would be interested to have this feature merged upstream, and if yes, to discuss about the deta...
Opengraph URL: https://github.com/Query-farm/httpserver/pull/21
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:d7fc84b3-489c-11ec-cd4a-857ec76a1c28 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | E37C:367E5D:1CFCAA:2765C6:69826A3D |
| html-safe-nonce | 9acbc4026c06db8fafc3ae2ddd64a76ea6a6d088191d8b0a71cb5822d4e76e0b |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFMzdDOjM2N0U1RDoxQ0ZDQUE6Mjc2NUM2OjY5ODI2QTNEIiwidmlzaXRvcl9pZCI6IjU3MTI5OTkyNjY0OTUxMzAxNzIiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 5175ecb5dd64e9d807fd3ca7e0a0effaa17960a9d1c9f4ae60ce57d3bcb39307 |
| hovercard-subject-tag | pull_request:2236057098 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/Query-farm/httpserver/pull/21/files |
| twitter:image | https://avatars.githubusercontent.com/u/6972399?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/6972399?s=400&v=4 |
| og:image:alt | Hello, I need to support untrusted inputs so I have created this PR as a starting point to see if you would be interested to have this feature merged upstream, and if yes, to discuss about the deta... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | d8cbbf00e6212b4e561a1d6db613194a319d58a2967494f7cc81cf6da3fbb985 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/Query-farm/httpserver git https://github.com/Query-farm/httpserver.git |
| octolytics-dimension-user_id | 183420031 |
| octolytics-dimension-user_login | Query-farm |
| octolytics-dimension-repository_id | 869750358 |
| octolytics-dimension-repository_nwo | Query-farm/httpserver |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 869750358 |
| octolytics-dimension-repository_network_root_nwo | Query-farm/httpserver |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 15d777483e72943a892af4ab5c0bbdb20215e6f3 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width