Re: Semi-customized queries? Subset of SQL? Accessing the parser? Injection?

On Nov 4, 2008, at 11:12 AM, Webb Sprague wrote:

>> If they're that smart, they're smart enough to deal with SQL, and
>> likely to be frustrated by a like-sql-but-not command language or
>> a GUI query designer.
>>
>> Instead, create a user that only has enough access to read data (and
>> maybe create temporary tables) and use that user to give them
>> a sql commandline.
>>
>> It'll be drastically less development effort for you, and the end
>> result
>> is less likely to frustrate your users.
>
> Can't do that.  (Or I wouldn't have asked the question.)  Need a WWW
> interface, period.
>
> Thanks for the comment, though.


That wasn't mentioned in your original question at all.

(If your constraint is just "has to be via a web browser" then that's
what
anyterm is for, or even just a text field that accepts a sql query.

If you really want them to build queries via a gui web form then you
may well be able to find something pre-built, depending on your
constraints - what clients you need to support, what web framework
you're using and so on. Or do it with simple combo boxes if you
want to limit the users to crippled queries.)

I don't see anything that suggests hacking the SQL parser
is going to be a useful thing to do. If you really think that's what you
need then you might want to be a bit more specific about what
your application constraints are.

I'm guessing that roles, constraints, resource limits and possibly
a sacrificial replicated database will provide the answer to your
actual problem, but we'd need to know what that is first.

Cheers,
   Steve