Hi, i need a help, i don't know if the road that i'm taking is the right one.
I have a WebCore application, and i need to execute a complex select on the server, via XData server. The Sql statement is built from the user choices (ideally, like if the user could write directly the sql in a memo field).
I think that i have two possibilities:
- upload a text file with the statement, and then execute the sql statement contained with a XData Service Operation
- pass the string containing the statement directly to the Service Operation
in all cases, the Service Operation will return the list with the records extracted.
I'm missing something ? There is a better way ?
Allowing users to execute an arbitrary SQL is a security problem. I wouldn't allow your server to do that.
Just create a service operation which receive the parameters and build your SQL server-side, execute it and return the results.
Thank you Wagner,
yes, i agree, there would be a big security problem. But if the server is accessible only in LAN, and only by db administrators, we have the option to permit such custom queries.
By your answer, in any case i understand that the best way is always to use the service operations, passing in some way the sql statement. There is no other "magic trick" possible.
Thank you, ciao !
Well, XData already provides is own query system, which is achievable using the
$filter query string. It was build to be at the same time flexible and secure. If you indeed need even more flexibility and execute arbitrary SQL statements, service operations are the way to go.