RESTful application, want to send SQL query as a read request

Question

I'm working on a RESTful web application. Now I want to extend the read (GET) request to handle SQL-like queries but I was not able to encode them into the URL because of all the special characters (" ", "/", "<", ">", "{", "}", etc.). I already read that it is no good idea to use the message body in a GET request. So at the moment the only option I see is to use the POST request. But than again I would say that this is not a good solution either because I would use POST for a read operation. According to the REST principles read should be done by the GET request and POST should only be used to manipulate data.

What do you think? What's the best way to send an SQL-like queries to my web application?

Thanks a lot

Answer 1

See the OData URI Conventions for one example of how to stuff query operations into a URI.

However, you are over-constraining the use of POST. The idea of the HTTP methods is that when a the characteristics of a request fit those of GET, PUT and DELETE you SHOULD use them. You MUST NOT use them if the characteristics do not match. However, POST is a wildcard method that can be used for any request.

There is no requirement that POST must write, update or manipulate data in any way. By telling a client that it needs to use the POST method you are just not making any promises to the client about the behaviour of the server.

There is nothing wrong with using POST to submit chunks of data to be used for queries. The downside is that the response of a POST is not cached and therefore you cannot take advantage of that.

There are numerous hybrid approaches, one of which is to POST the query parameters and have the server create a new temporary resource that represents the query and then return a redirect so the client does a get on the temporary query resource.

Answer 2

Use CGI::escape("select * from NEVER_DO_SUCH_THINGS where SQL_INJECTION > 'unsafe'")