Expose complex dynamic queries over REST
15 views
Skip to first unread message
Colin Taylor
Jan 10, 2014, 3:14:52 PM1/10/14
to rubyonra...@googlegroups.com
I'm trying to build a web application for data analysis. The client can send ad-hoc queries to my back-end data service. For example:
(foo >= 10 OR bar == 'baz') AND bat < 10
Is there a rails/activerecord standard for sending this type of query through REST? A DAO / method_missing won't work because there are an infinite number of permutations per model (e.g. an arbitrary number of attributes, clauses, etc). Is there something that could take a "Lucene-like" query string and construct an activerecord request? Or do I just have to manually parse it myself?
Dave Aronson
Jan 11, 2014, 11:31:24 AM1/11/14
to rubyonrails-talk
On Fri, Jan 10, 2014 at 3:14 PM, Colin Taylor <cjnt...@gmail.com> wrote:
> I'm trying to build a web application for data analysis. The
> client can send ad-hoc queries to my back-end data service.
I would advise you question the need for this. Not because it's
> I'm trying to build a web application for data analysis. The
> client can send ad-hoc queries to my back-end data service.
difficult in Rails, but for security. Imagine what someone with evil
intents could do. He could delete your data, or worse yet just alter
it so the answers are wrong. He could fill up your database, and if
there aren't limits on that, then maybe your whole disk. Depending
what DBMS you're using, *maybe* there's some way to make it read-only.
Alternately, maybe there's some gem that will sanitize it for you.
IWCTW, you could take the more difficult approach of letting them
specify what variable(s) need to be in what range, what tables to join
on, etc.
-Dave
--
Dave Aronson, the T. Rex of Codosaurus LLC (codosaur.us),
freelance software developer, and creator of these sites:
PullRequestRoulette.com, blog.codosaur.us, & Dare2XL.com.
Rick
Jan 13, 2014, 11:04:13 PM1/13/14
to rubyonra...@googlegroups.com
One approach would be to define a domain specific language and implement a compiler. This would give you an opportunity to check both the form (lexical scanner) and content (syntax checker) of the user input and map all legal requests on your data.
For obvious reasons, this language should not include the ability to pass SQL statements intact from the user to your database. But you could allow the user to implement a nice custom report generator to support analysis.
Racc is the gem capturing the syntax, it continues the tradition of recasting Stephen Johnson's YACC, which itself built on Donald Knuth's work. There isn't a lex/flex gem but ruby provides good support for lexical analysis.
For obvious reasons, this language should not include the ability to pass SQL statements intact from the user to your database. But you could allow the user to implement a nice custom report generator to support analysis.
Racc is the gem capturing the syntax, it continues the tradition of recasting Stephen Johnson's YACC, which itself built on Donald Knuth's work. There isn't a lex/flex gem but ruby provides good support for lexical analysis.
Reply all
Reply to author
Forward
0 new messages