Closed hasufell closed 8 years ago
I am considering to write a REST API that by default just maps the database to the json object, e.g.
/products/<product-id>
Since there are a lot of object references it makes sense in some cases to allow deep population based on parameters, e.g.
/products/<product-id>?details=price,catalogue.store,catalogue.store.leadingMedia
where this would end up somewhat like:
foo.deepPopulate(['price', 'catalogue.store', 'catalogue.store.leadingMedia']);
Can this lead to stuff like sql injection or is deepPopulate safe in that regard?
You should whitelist the fields. So it should be safe.
buunguyen
commented
8 years ago
I am considering to write a REST API that by default just maps the database to the json object, e.g.
Since there are a lot of object references it makes sense in some cases to allow deep population based on parameters, e.g.
where this would end up somewhat like:
Can this lead to stuff like sql injection or is deepPopulate safe in that regard?