Who's afraid of DELETE /most/valuable/resource?

At presentations, people sometimes suggest that having syntax like 'DELETE FROM valuable_resource' is inherently dangerous.

Why is it more dangerous than the subject line, a syntactically valid ReST request, that achieves a similar result?

Either one is safe, if the authorization is handled correctly. The SQL syntax, though, is immensely more powerful, as the request can be arbitrarily complex, with built-in filtering conditions.

A sample query:

SELECT distinct word, array_agg(lemma) AS lemmas, 
       bool_or(pronoun_suffix) AS suffix, 
       array_agg(part_of_speech) AS pos, 
       array_agg(part_of_speech_detail) AS posd, 
       ARRAY(SELECT alt FROM alt_words a 
              WHERE a.word = w.word) AS alts, 
       min(lemma_idx) AS idx 
  FROM wordlist w WHERE word IN 
   (  
    SELECT min(word) 
    FROM wordlist w  
    WHERE (substring(word FROM 1 FOR 1) = %s   
           OR substring(word FROM 1 FOR 1) = %s) 
    GROUP BY substring(word FROM 1 FOR 3) 
   ) 
 GROUP BY word 
 ORDER BY word ASC LIMIT 1000;

The above query gets a list of words reduced so that consecutive words do not differ after the 3rd character. This may seem like a arbitrary example chosen for rhetorical effect, but is an excerpt from a working app.

The SQL query can be implemented by the front-end programmer to suit his or her particular needs. The same flexibility could be incorporated into a ReST request handler, but that would not be front-end anymore. Rdbhost lets you, the front-end programmer, write powerful server queries directly in your browser code.

comments powered by Disqus