Why not use SQL instead of GraphQL?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
Recently I learned about GraphQL which claims to be superior to RESTful. However, I started wondering why don't we simply put SQL statements into an HTTP GET request.
For example, in GraphQL I would write
{
Movie(id: "cixos5gtq0ogi0126tvekxo27") {
id
title
actors {
name
}
}
}
Which isn't much simpler than its SQL counterpart
SELECT id, title FROM movies WHERE id = cixos5gtq0ogi0126tvekxo27;
SELECT actors.name FROM actors, actors_movies WHERE actors.id == movies.actor_id AND movie.id == cixos5gtq0ogi0126tvekxo27;
Maybe we can URL-encode the query and send to the server
GET endpoint?q=SELECT%20id%2C%20title%20FROM%20movies%20WHERE%20id%20%3D%20cixos5gtq0ogi0126tvekxo27%3B%0ASELECT%20actors.name%20FROM%20actors%2C%20actors_movies%20WHERE%20actors.id%20%3D%3D%20movies.actor_id%20AND%20movie.id%20%3D%3D%20cixos5gtq0ogi0126tvekxo27%3B HTTP/1.1
Yes, the query URL can be too long, but you can put it into the body of a POST request if you don't care about REST compliance. (By the way, I think the HTTP RFC need be revised for REST to make sense: capping the length of query strings mixes implementation with specification at the very beginning)
Directly issuing SQL from the client also has the advantage of
- No server-side code/library is required to parse GraphQL, reducing development time.
- No server-side overhead is needed to parse GraphQL, reducing runtime.
- SQL statements are much more flexible than GraphQL because (in most cases) the latter will reduce to SQL anyway.
- Everyone knows SQL.
So, what the advantages GraphQL have over SQL?
architecture database web-development api web-services
edited 1 hour ago
whatsisname
25.1k136788
asked 8 hours ago
nalzoknalzok
1205
New contributor
nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 8 more comments
Recently I learned about GraphQL which claims to be superior to RESTful. However, I started wondering why don't we simply put SQL statements into an HTTP GET request.
For example, in GraphQL I would write
{
Movie(id: "cixos5gtq0ogi0126tvekxo27") {
id
title
actors {
name
}
}
}
Which isn't much simpler than its SQL counterpart
SELECT id, title FROM movies WHERE id = cixos5gtq0ogi0126tvekxo27;
SELECT actors.name FROM actors, actors_movies WHERE actors.id == movies.actor_id AND movie.id == cixos5gtq0ogi0126tvekxo27;
Maybe we can URL-encode the query and send to the server
GET endpoint?q=SELECT%20id%2C%20title%20FROM%20movies%20WHERE%20id%20%3D%20cixos5gtq0ogi0126tvekxo27%3B%0ASELECT%20actors.name%20FROM%20actors%2C%20actors_movies%20WHERE%20actors.id%20%3D%3D%20movies.actor_id%20AND%20movie.id%20%3D%3D%20cixos5gtq0ogi0126tvekxo27%3B HTTP/1.1
Yes, the query URL can be too long, but you can put it into the body of a POST request if you don't care about REST compliance. (By the way, I think the HTTP RFC need be revised for REST to make sense: capping the length of query strings mixes implementation with specification at the very beginning)
Directly issuing SQL from the client also has the advantage of
- No server-side code/library is required to parse GraphQL, reducing development time.
- No server-side overhead is needed to parse GraphQL, reducing runtime.
- SQL statements are much more flexible than GraphQL because (in most cases) the latter will reduce to SQL anyway.
- Everyone knows SQL.
So, what the advantages GraphQL have over SQL?
architecture database web-development api web-services
edited 1 hour ago
whatsisname
25.1k136788
asked 8 hours ago
nalzoknalzok
1205
New contributor
nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
3
Little Bobby Tables.
– Philip Kendall
8 hours ago
@PhilipKendall Do you mean SQL injection? This can be solved conveniently by setting the role of the corresponding SQL user to read-only. Also, I can always require some kind of API secret key, or employ other authentication techniques.
– nalzok
8 hours ago
1
What you suggest already exists and It doesn't expose your DB to the world as you are suggesting too. It also abstract the QL from the DB so that you can use SQL, noSQL or whatever your DB is.
– Laiv
8 hours ago
2
@nalzok: SQL is Turing-complete, which means it is impossible to validate statically.
– Jörg W Mittag
8 hours ago
1
There're more risks than injection tho. And architectural boundaries like having more than one DB or having no DB at all. You are assuming that behind an HTTP there's a SQL DB. SQL, graphQL, odata, etc are mere query languages no the DB itself.
– Laiv
8 hours ago
|
show 8 more comments
Recently I learned about GraphQL which claims to be superior to RESTful. However, I started wondering why don't we simply put SQL statements into an HTTP GET request.
For example, in GraphQL I would write
{
Movie(id: "cixos5gtq0ogi0126tvekxo27") {
id
title
actors {
name
}
}
}
Which isn't much simpler than its SQL counterpart
SELECT id, title FROM movies WHERE id = cixos5gtq0ogi0126tvekxo27;
SELECT actors.name FROM actors, actors_movies WHERE actors.id == movies.actor_id AND movie.id == cixos5gtq0ogi0126tvekxo27;
Maybe we can URL-encode the query and send to the server
GET endpoint?q=SELECT%20id%2C%20title%20FROM%20movies%20WHERE%20id%20%3D%20cixos5gtq0ogi0126tvekxo27%3B%0ASELECT%20actors.name%20FROM%20actors%2C%20actors_movies%20WHERE%20actors.id%20%3D%3D%20movies.actor_id%20AND%20movie.id%20%3D%3D%20cixos5gtq0ogi0126tvekxo27%3B HTTP/1.1
Yes, the query URL can be too long, but you can put it into the body of a POST request if you don't care about REST compliance. (By the way, I think the HTTP RFC need be revised for REST to make sense: capping the length of query strings mixes implementation with specification at the very beginning)
Directly issuing SQL from the client also has the advantage of
- No server-side code/library is required to parse GraphQL, reducing development time.
- No server-side overhead is needed to parse GraphQL, reducing runtime.
- SQL statements are much more flexible than GraphQL because (in most cases) the latter will reduce to SQL anyway.
- Everyone knows SQL.
So, what the advantages GraphQL have over SQL?
architecture database web-development api web-services
edited 1 hour ago
whatsisname
25.1k136788
asked 8 hours ago
nalzoknalzok
1205
New contributor
nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Recently I learned about GraphQL which claims to be superior to RESTful. However, I started wondering why don't we simply put SQL statements into an HTTP GET request.
For example, in GraphQL I would write
{
Movie(id: "cixos5gtq0ogi0126tvekxo27") {
id
title
actors {
name
}
}
}
Which isn't much simpler than its SQL counterpart
SELECT id, title FROM movies WHERE id = cixos5gtq0ogi0126tvekxo27;
SELECT actors.name FROM actors, actors_movies WHERE actors.id == movies.actor_id AND movie.id == cixos5gtq0ogi0126tvekxo27;
Maybe we can URL-encode the query and send to the server
GET endpoint?q=SELECT%20id%2C%20title%20FROM%20movies%20WHERE%20id%20%3D%20cixos5gtq0ogi0126tvekxo27%3B%0ASELECT%20actors.name%20FROM%20actors%2C%20actors_movies%20WHERE%20actors.id%20%3D%3D%20movies.actor_id%20AND%20movie.id%20%3D%3D%20cixos5gtq0ogi0126tvekxo27%3B HTTP/1.1
Yes, the query URL can be too long, but you can put it into the body of a POST request if you don't care about REST compliance. (By the way, I think the HTTP RFC need be revised for REST to make sense: capping the length of query strings mixes implementation with specification at the very beginning)
Directly issuing SQL from the client also has the advantage of
- No server-side code/library is required to parse GraphQL, reducing development time.
- No server-side overhead is needed to parse GraphQL, reducing runtime.
- SQL statements are much more flexible than GraphQL because (in most cases) the latter will reduce to SQL anyway.
- Everyone knows SQL.
So, what the advantages GraphQL have over SQL?
architecture database web-development api web-services
architecture database web-development api web-services
edited 1 hour ago
whatsisname
25.1k136788
asked 8 hours ago
nalzoknalzok
1205
New contributor
nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 1 hour ago
whatsisname
25.1k136788
asked 8 hours ago
nalzoknalzok
1205
New contributor
nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 1 hour ago
whatsisname
25.1k136788
edited 1 hour ago
whatsisname
25.1k136788
edited 1 hour ago
whatsisname
25.1k136788
25.1k136788
asked 8 hours ago
nalzoknalzok
1205
New contributor
nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 8 hours ago
nalzoknalzok
1205
asked 8 hours ago
nalzoknalzok
1205
1205
New contributor
nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
3
Little Bobby Tables.
– Philip Kendall
8 hours ago
@PhilipKendall Do you mean SQL injection? This can be solved conveniently by setting the role of the corresponding SQL user to read-only. Also, I can always require some kind of API secret key, or employ other authentication techniques.
– nalzok
8 hours ago
1
What you suggest already exists and It doesn't expose your DB to the world as you are suggesting too. It also abstract the QL from the DB so that you can use SQL, noSQL or whatever your DB is.
– Laiv
8 hours ago
2
@nalzok: SQL is Turing-complete, which means it is impossible to validate statically.
– Jörg W Mittag
8 hours ago
1
There're more risks than injection tho. And architectural boundaries like having more than one DB or having no DB at all. You are assuming that behind an HTTP there's a SQL DB. SQL, graphQL, odata, etc are mere query languages no the DB itself.
– Laiv
8 hours ago
|
show 8 more comments
3
Little Bobby Tables.
– Philip Kendall
8 hours ago
@PhilipKendall Do you mean SQL injection? This can be solved conveniently by setting the role of the corresponding SQL user to read-only. Also, I can always require some kind of API secret key, or employ other authentication techniques.
– nalzok
8 hours ago
1
What you suggest already exists and It doesn't expose your DB to the world as you are suggesting too. It also abstract the QL from the DB so that you can use SQL, noSQL or whatever your DB is.
– Laiv
8 hours ago
2
@nalzok: SQL is Turing-complete, which means it is impossible to validate statically.
– Jörg W Mittag
8 hours ago
1
There're more risks than injection tho. And architectural boundaries like having more than one DB or having no DB at all. You are assuming that behind an HTTP there's a SQL DB. SQL, graphQL, odata, etc are mere query languages no the DB itself.
– Laiv
8 hours ago
3
3
Little Bobby Tables.
– Philip Kendall
8 hours ago
Little Bobby Tables.
– Philip Kendall
8 hours ago
@PhilipKendall Do you mean SQL injection? This can be solved conveniently by setting the role of the corresponding SQL user to read-only. Also, I can always require some kind of API secret key, or employ other authentication techniques.
– nalzok
8 hours ago
@PhilipKendall Do you mean SQL injection? This can be solved conveniently by setting the role of the corresponding SQL user to read-only. Also, I can always require some kind of API secret key, or employ other authentication techniques.
– nalzok
8 hours ago
1
1
What you suggest already exists and It doesn't expose your DB to the world as you are suggesting too. It also abstract the QL from the DB so that you can use SQL, noSQL or whatever your DB is.
– Laiv
8 hours ago
What you suggest already exists and It doesn't expose your DB to the world as you are suggesting too. It also abstract the QL from the DB so that you can use SQL, noSQL or whatever your DB is.
– Laiv
8 hours ago
2
2
@nalzok: SQL is Turing-complete, which means it is impossible to validate statically.
– Jörg W Mittag
8 hours ago
@nalzok: SQL is Turing-complete, which means it is impossible to validate statically.
– Jörg W Mittag
8 hours ago
1
1
There're more risks than injection tho. And architectural boundaries like having more than one DB or having no DB at all. You are assuming that behind an HTTP there's a SQL DB. SQL, graphQL, odata, etc are mere query languages no the DB itself.
– Laiv
8 hours ago
There're more risks than injection tho. And architectural boundaries like having more than one DB or having no DB at all. You are assuming that behind an HTTP there's a SQL DB. SQL, graphQL, odata, etc are mere query languages no the DB itself.
– Laiv
8 hours ago
|
show 8 more comments
2 Answers
2
active
oldest
votes
Basically, abstraction.
SQL requires your clients to know your exact database structure, which is not good. On top of that, analysing the SQL in order to perform special operations based on the value sent as the input is a really difficult thing to do. There are entire softwares which are pretty much responsible only for that. Do you know what those are? If you have guessed the databases, you are right.
Thanks to not exposing the SQL directly, you are not limiting the consumer of the API to the internal representation of your database. You easily expose only what you want to expose.
And since clients of the API depend only on the abstraction, you are free to have as many layers as possible between the API input and the actual database (security, caching, loading data from multiple databases on a single request,...).
For public services, exposing a database directly is pretty much never the right approach. If you however have a few internal systems, sure, your approach might make sense but even then it might just be easier to connect to application A's database directly from Application B by giving the database credentials to the Application B, rather than trying to come up with a custom HTTP interface for the database SQL language.
answered 3 hours ago
AndyAndy
7,51911437
add a comment |
In theory there is no reason you can't expose an SQL interface like this.
In practice SQL is far to powerful to be effectively limited to the security scope you want to expose.
Even if you allow only read access, a bad query can still hog resources.
Other languages such as graphQL are designed to be exposed. They are mearly giving users a filter option on what they could already see.
The benefit of using these languages is that they have gone through all the things you would want to stop users doing in SQL and taken them off the table.
answered 2 hours ago
EwanEwan
43.2k33695
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "131"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
nalzok is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsoftwareengineering.stackexchange.com%2fquestions%2f389900%2fwhy-not-use-sql-instead-of-graphql%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Basically, abstraction.
SQL requires your clients to know your exact database structure, which is not good. On top of that, analysing the SQL in order to perform special operations based on the value sent as the input is a really difficult thing to do. There are entire softwares which are pretty much responsible only for that. Do you know what those are? If you have guessed the databases, you are right.
Thanks to not exposing the SQL directly, you are not limiting the consumer of the API to the internal representation of your database. You easily expose only what you want to expose.
And since clients of the API depend only on the abstraction, you are free to have as many layers as possible between the API input and the actual database (security, caching, loading data from multiple databases on a single request,...).
For public services, exposing a database directly is pretty much never the right approach. If you however have a few internal systems, sure, your approach might make sense but even then it might just be easier to connect to application A's database directly from Application B by giving the database credentials to the Application B, rather than trying to come up with a custom HTTP interface for the database SQL language.
answered 3 hours ago
AndyAndy
7,51911437
add a comment |
Basically, abstraction.
SQL requires your clients to know your exact database structure, which is not good. On top of that, analysing the SQL in order to perform special operations based on the value sent as the input is a really difficult thing to do. There are entire softwares which are pretty much responsible only for that. Do you know what those are? If you have guessed the databases, you are right.
Thanks to not exposing the SQL directly, you are not limiting the consumer of the API to the internal representation of your database. You easily expose only what you want to expose.
And since clients of the API depend only on the abstraction, you are free to have as many layers as possible between the API input and the actual database (security, caching, loading data from multiple databases on a single request,...).
For public services, exposing a database directly is pretty much never the right approach. If you however have a few internal systems, sure, your approach might make sense but even then it might just be easier to connect to application A's database directly from Application B by giving the database credentials to the Application B, rather than trying to come up with a custom HTTP interface for the database SQL language.
answered 3 hours ago
AndyAndy
7,51911437
add a comment |
Basically, abstraction.
SQL requires your clients to know your exact database structure, which is not good. On top of that, analysing the SQL in order to perform special operations based on the value sent as the input is a really difficult thing to do. There are entire softwares which are pretty much responsible only for that. Do you know what those are? If you have guessed the databases, you are right.
Thanks to not exposing the SQL directly, you are not limiting the consumer of the API to the internal representation of your database. You easily expose only what you want to expose.
And since clients of the API depend only on the abstraction, you are free to have as many layers as possible between the API input and the actual database (security, caching, loading data from multiple databases on a single request,...).
For public services, exposing a database directly is pretty much never the right approach. If you however have a few internal systems, sure, your approach might make sense but even then it might just be easier to connect to application A's database directly from Application B by giving the database credentials to the Application B, rather than trying to come up with a custom HTTP interface for the database SQL language.
answered 3 hours ago
AndyAndy
7,51911437
Basically, abstraction.
SQL requires your clients to know your exact database structure, which is not good. On top of that, analysing the SQL in order to perform special operations based on the value sent as the input is a really difficult thing to do. There are entire softwares which are pretty much responsible only for that. Do you know what those are? If you have guessed the databases, you are right.
Thanks to not exposing the SQL directly, you are not limiting the consumer of the API to the internal representation of your database. You easily expose only what you want to expose.
And since clients of the API depend only on the abstraction, you are free to have as many layers as possible between the API input and the actual database (security, caching, loading data from multiple databases on a single request,...).
For public services, exposing a database directly is pretty much never the right approach. If you however have a few internal systems, sure, your approach might make sense but even then it might just be easier to connect to application A's database directly from Application B by giving the database credentials to the Application B, rather than trying to come up with a custom HTTP interface for the database SQL language.
answered 3 hours ago
AndyAndy
7,51911437
answered 3 hours ago
AndyAndy
7,51911437
answered 3 hours ago
AndyAndy
7,51911437
answered 3 hours ago
AndyAndy
7,51911437
7,51911437
add a comment |
add a comment |
In theory there is no reason you can't expose an SQL interface like this.
In practice SQL is far to powerful to be effectively limited to the security scope you want to expose.
Even if you allow only read access, a bad query can still hog resources.
Other languages such as graphQL are designed to be exposed. They are mearly giving users a filter option on what they could already see.
The benefit of using these languages is that they have gone through all the things you would want to stop users doing in SQL and taken them off the table.
answered 2 hours ago
EwanEwan
43.2k33695
add a comment |
In theory there is no reason you can't expose an SQL interface like this.
In practice SQL is far to powerful to be effectively limited to the security scope you want to expose.
Even if you allow only read access, a bad query can still hog resources.
Other languages such as graphQL are designed to be exposed. They are mearly giving users a filter option on what they could already see.
The benefit of using these languages is that they have gone through all the things you would want to stop users doing in SQL and taken them off the table.
answered 2 hours ago
EwanEwan
43.2k33695
add a comment |
In theory there is no reason you can't expose an SQL interface like this.
In practice SQL is far to powerful to be effectively limited to the security scope you want to expose.
Even if you allow only read access, a bad query can still hog resources.
Other languages such as graphQL are designed to be exposed. They are mearly giving users a filter option on what they could already see.
The benefit of using these languages is that they have gone through all the things you would want to stop users doing in SQL and taken them off the table.
answered 2 hours ago
EwanEwan
43.2k33695
In theory there is no reason you can't expose an SQL interface like this.
In practice SQL is far to powerful to be effectively limited to the security scope you want to expose.
Even if you allow only read access, a bad query can still hog resources.
Other languages such as graphQL are designed to be exposed. They are mearly giving users a filter option on what they could already see.
The benefit of using these languages is that they have gone through all the things you would want to stop users doing in SQL and taken them off the table.
answered 2 hours ago
EwanEwan
43.2k33695
answered 2 hours ago
EwanEwan
43.2k33695
answered 2 hours ago
EwanEwan
43.2k33695
answered 2 hours ago
EwanEwan
43.2k33695
43.2k33695
add a comment |
add a comment |
nalzok is a new contributor. Be nice, and check out our Code of Conduct.
nalzok is a new contributor. Be nice, and check out our Code of Conduct.
nalzok is a new contributor. Be nice, and check out our Code of Conduct.
nalzok is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Software Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsoftwareengineering.stackexchange.com%2fquestions%2f389900%2fwhy-not-use-sql-instead-of-graphql%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
Little Bobby Tables.
– Philip Kendall
8 hours ago
@PhilipKendall Do you mean SQL injection? This can be solved conveniently by setting the role of the corresponding SQL user to read-only. Also, I can always require some kind of API secret key, or employ other authentication techniques.
– nalzok
8 hours ago
1
What you suggest already exists and It doesn't expose your DB to the world as you are suggesting too. It also abstract the QL from the DB so that you can use SQL, noSQL or whatever your DB is.
– Laiv
8 hours ago
2
@nalzok: SQL is Turing-complete, which means it is impossible to validate statically.
– Jörg W Mittag
8 hours ago
1
There're more risks than injection tho. And architectural boundaries like having more than one DB or having no DB at all. You are assuming that behind an HTTP there's a SQL DB. SQL, graphQL, odata, etc are mere query languages no the DB itself.
– Laiv
8 hours ago