📦Stored Statements
As stated while discussing the configuration file, Stored Statements are a way to specify (some of) the statement/queries you will use in the server instead of sending them over from the client.
This can be done to shorten the requests from the client; a more important reason is for security: when coupled with the next parameter, this allows the server to actually limit the SQL tat is performed to a set of predefined, controlled values. If your db contains areas that are sensitive, and you don't want to expose them, this can be very effective. See also the relevant section.
Configuration
For any database, you can add a similar piece of YAML to specify one or more stored statements:
As you can see, each stored statement has an ID that you can use to refer to it from a request.
Usage in requests
Simply specify the ID, prepended by a # sign, instead of any SQL:
Of course, despite the term, it's not limited to statements, but also querys works the same. "Statement" is just used in a generic sense here.
Limiting the server to executing stored statements
Specify the relevant configuration (line 2):
This way, the server will not accept any SQL from the client, but will only allow Stored Statements.
A possible use case is this: you have a database with a table that lists some sensitive data for a key.
You want to avoid that the whole table is extracted, but still keep it accessible for queries for a single key.
Just define a query, and restrict the server to it:
From the client, anyone will only be allowed to perform a lookup by key, so they'll need to know the key in order to access the data. No other statements are allowed, and no SQL can be passed from the client.
Last updated