How to create dynamic and secure queries

advertisements

A "static" query is one that remains the same at all times. For example, the "Tags" button on Stackoverflow, or the "7 days" button on Digg. In short, they always map to a specific database query, so you can create them at design time.

But I am trying to figure out how to do "dynamic" queries where the user basically dictates how the database query will be created at runtime. For example, on Stackoverflow, you can combine tags and filter the posts in ways you choose. That's a dynamic query albeit a very simple one since what you can combine is within the world of tags. A more complicated example is if you could combine tags and users.

First of all, when you have a dynamic query, it sounds like you can no longer use the substitution api to avoid sql injection since the query elements will depend on what the user decided to include in the query. I can't see how else to build this query other than using string append.

Secondly, the query could potentially span multiple tables. For example, if SO allows users to filter based on Users and Tags, and these probably live in two different tables, building the query gets a bit more complicated than just appending columns and WHERE clauses.

How do I go about implementing something like this?

The first rule is that users are allowed to specify values in SQL expressions, but not SQL syntax. All query syntax should be literally specified by your code, not user input. The values that the user specifies can be provided to the SQL as query parameters. This is the most effective way to limit the risk of SQL injection.

Many applications need to "build" SQL queries through code, because as you point out, some expressions, table joins, order by criteria, and so on depend on the user's choices. When you build a SQL query piece by piece, it's sometimes difficult to ensure that the result is valid SQL syntax.

I worked on a PHP class called Zend_Db_Select that provides an API to help with this. If you like PHP, you could look at that code for ideas. It doesn't handle any query imaginable, but it does a lot.

Some other PHP database frameworks have similar solutions.

Related Articles

Python | How to create dynamic and extensible dictionaries

I want to create a Python dictionary which holds values in a multidimensional accept and it should be able to expand, this is the structure that the values should be stored :- userdata = {'data':[{'username':'Ronny Leech','age':'22','country':'Siberi

How to create dynamic tab content

I have a first tab in my application, I want to know if it's possible to create a new tab when I click on my bouton ? <html> <head> <title>How to Create dynamic tab content</title> <link rel="stylesheet" href="htt

How to create dynamic models of drag and drop?

I have a requirement of developing a functionality where user can dynamically define a template (labels, textboxes, labels, rows, columns, parent child relationships among above elements etc). These elements(such as combo boxes) may be bound to diffe

How to create dynamic data entry forms in a WPF application?

I'm planning a WPF application which will be able to create dynamic data entry forms (meaning the form gets the fields to display, their order, etc. from data in the database, not from the XAML) use the MVVM pattern if possible Here is how I plan to

How to create dynamic objects in the member function?

In a member function of Class Championship, I try to create dynamic objects and call the member function of Class Game, but I got the error message as error: expected primary-expression before '[' token. How to correct it? class Championship { public

How to create dynamic pages in drupal?

I have contents in the following url: mysite.com/project/node-id But then i want the user to be directed to mysite.com/entries/node-id when they click on entries link. How do i achieve this? In the entries page i want to show a view which takes the n