182

Everyday we stray further from industry standards (lemmy.world)

submitted 1 week ago by youTellMe@lemmy.world to c/programmerhumor@lemmy.world

24 comments fedilink hide all child comments

top 24 comments

sorted by: hot top controversial new old

[-] corroded@lemmy.world 31 points 1 week ago

You've got to wrap the already basically-just-English SQL database in a layer of abstraction, then serve that as a proprietary API that's impossible to access without a precompiled library that targets a programming language you're not using and exposes methods that are 10x more difficult to use than a SELECT statement.

[-] Wilzax@lemmy.world 13 points 1 week ago

You significantly cut down on SQLi vulnerability by obscuring the database behind multiple layers of API calls though

[-] corroded@lemmy.world 2 points 1 week ago

Do you really? If you have permissions set up properly, it really seems like an API over a read-only SQL server is just an unnecessary layer of abstraction.

[-] Wilzax@lemmy.world 2 points 1 week ago

If your database is really big and suffers from large volumes of queries in a short time, it's easier to implement rate limiting in the API than by configuring SQL server permissions.

It's also easier to interact with stored procedures across multiple databases, from multiple clients, if you have a 1-to-1 API wrapper for your database procedures. This also lets you serialize your database response in a potentially more portable format than what your database returns directly, such as JSON.

The API wrapper isn't a silver bullet for security and scalability, but it is a unified framework to configure better security policies and unify multiple databases.

I admit, however, that multiple layers of API abstraction is a bit of a meme, just to keep everyone on their toes.

[-] SirQuackTheDuck@lemmy.world 8 points 1 week ago

My job consists of creating internal apis for databases to be consumed by internal systems. So yes, wrapping databases in APIs is very common and sometimes required.

The part I find weird of my job, is that the database isn't one of our team. We're accessing someone else's database, to be consumed by our own api, and writing a api to do so nicely. That's the crooked part.

[-] Crackhappy@lemmy.world 1 points 1 week ago

This is insanely common, tbh.

[-] SirQuackTheDuck@lemmy.world 1 points 1 week ago

It's common, but still a tad weird.

[-] pixxelkick@lemmy.world 17 points 1 week ago

Technichally yes, SQL is an API.

Not a RESTful one, nor an HTTP one, but SQL over a socket is very much a type of API...

But I'm guessing we meant an HTTP RESTful API in which case god I hope not

[-] Kazumara@discuss.tchncs.de 1 points 1 week ago* (last edited 1 week ago)

"I want a proper api that does work, slap the DB on a socket, none of that resting HTTP stuff"

[-] sebsch@discuss.tchncs.de 15 points 1 week ago* (last edited 1 week ago)

GET /api/database?query=SELECT+++name+++FROM+++users+++WHERE+++id=42

I've seen that exact type of endpoint, hitting databases in production. 🔥

[-] ChillPenguin@lemmy.world 5 points 1 week ago

[-] surewhynotlem@lemmy.world 1 points 1 week ago

If that's a pass through, that's bad.

If that's used for authentication, authorization, credential limiting, or rate limiting, then sure.

[-] sebsch@discuss.tchncs.de 3 points 1 week ago

There is no context in this world validating this level of unsanitized SQL. Even for internal use this is bad, since it bypasses the auth of server and dbms.

[-] surewhynotlem@lemmy.world 1 points 1 week ago

That is a very good point.

[-] BodilessGaze@sh.itjust.works 10 points 1 week ago

How does that work? You mean you allow API clients to execute arbitrary queries? How has nobody nuked your DB yet?

[-] semperverus@lemmy.world 9 points 1 week ago

You mean a Snowflake instance?

[-] lime@feddit.nu 7 points 1 week ago* (last edited 1 week ago)

hey fun fact, yes it is!

[-] DavidGarcia@feddit.nl 4 points 1 week ago

SurrealDB recommends that you use their DB by giving clients direct database access lmao

[-] UnderpantsWeevil@lemmy.world 3 points 1 week ago

Okay, hear me out. We do Stalinism, but exclusively for coding.

[-] RagingHungryPanda@lemm.ee 3 points 1 week ago

Should I ask you to explain? I'm scared.

[-] wdx@feddit.org 2 points 1 week ago

I was shortly in a project where the team and the customer meant the fucking Oracle DB when they were talking about "the backend".

There was Java Spring Boot (on some outdated, old old version), but all it did was pass args from a "REST" API (doing essentially RPCs with POSTs is REST, right?) to the DB.

The DB then had functions upon functions written in pl/sql that did the actual work.

I have no idea who the fuck thought that that was even remotely a good idea.

Anyways - I am happy to have moved on to better, more sensible projects :D

[-] amio@lemmy.world 1 points 1 week ago

Not ridiculously pedantically, of course... but yes

[-] figjam@midwest.social 1 points 1 week ago

How do we teach new engineers to build unit tests? "Have copilot write them."

[-] SapphironZA@sh.itjust.works 1 points 1 week ago

Some assembly required.

this post was submitted on 07 Oct 2024

182 points (99.5% liked)

Programmer Humor

1340 readers

2 users here now

founded 1 year ago

MODERATORS

usr_bin_env@lemmy.world