luzifer/sqlapi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Web-application to translate HTTP POST requests into SQL queries
5 Commits 1 Branch 0 Tags 40 KiB
Go 93.3%
Dockerfile 6.7%
master
Go to file
Knut Ahlers aed9ee6684
Fix database replacement in PG DSN
2024-06-30 15:14:29 +02:00
pkg Rewrite to support multiple database types 2024-06-28 22:31:45 +02:00
.gitignore Rewrite to support multiple database types 2024-06-28 22:31:45 +02:00
connect.go Fix database replacement in PG DSN 2024-06-30 15:14:29 +02:00
Dockerfile Rewrite to support multiple database types 2024-06-28 22:31:45 +02:00
go.mod Fix database replacement in PG DSN 2024-06-30 15:14:29 +02:00
go.sum Fix database replacement in PG DSN 2024-06-30 15:14:29 +02:00
http.go Rewrite to support multiple database types 2024-06-28 22:31:45 +02:00
main.go Rewrite to support multiple database types 2024-06-28 22:31:45 +02:00
README.md Fix database replacement in PG DSN 2024-06-30 15:14:29 +02:00

README.md

Luzifer / sqlapi

This repo contains a simple-ish web-application to translate HTTP POST requests into SQL queries.

Why?!?

I had the requirement to do SQL queries from fairly simple scripts without the possibility to add a SQL client. As HTTP calls are possible in nearly every environement the idea was to have an API to execute arbitrary SQL statements over a JSON POST-API.

Security

⚠⚠⚠ NEVER EVER LEAVE THIS OPEN TO THE INTERNET! ⚠⚠⚠

Having stated that as clearly as possible: This API does not limit the type of queries being executed. The only thing saving you might be the permissions of the user you configured in the DSN given to the tool. If you gave it global admin permissions, well - you've just handed over your database server.

In general make sure you understood what is possible using this and limit access to an absolute minimum. Your data got lost / leaked? I did warn you.

How to use?

POST /{database}
Content-Type: application/json

[...]

# sqlapi --help
Usage of sqlapi:
      --db-type string     Database type to connect to
      --dsn string         DSN to connect to (see README for formats)
      --listen string      Port/IP to listen on (default ":3000")
      --log-level string   Log level (debug, info, warn, error, fatal) (default "info")
      --version            Prints current version and exits

# sqlapi \
    --db-type mysql \
    --dsn "limiteduser:verysecretpass@tcp(mydatabase.cluster.local:3306)/?charset=utf8mb4&parseTime=True&loc=Local" \
    --listen 127.0.0.1:7895
INFO[0000] sqlapi started                              addr="127.0.0.1:7895" version=dev

# curl -s --data-binary @select.json localhost:7895/sqlapi_test | jq .

DSN formats

  • MySQL / MariaDB
  • Postgres / CockroachDB
    • postgres://jack:secret@pg.example.com:5432/mydb?sslmode=verify-ca
    • For parameters see github.com/jackc/pgx/v5
    • The key=value anotherkey=anothervalue format is not supported

Request format

  • MySQL / MariaDB
    • Placeholders use ? for arguments
  • Postgres / CockroachDB
    • Placeholders use $1, $2, ... for arguments
[
  ["SELECT * FROM testtable"],
  ["INSERT INTO testtable (name, age, birthday) VALUES (?, ?, ?)", "Karl", 45, "1999-02-05T02:00:00"],
  ["SELECT * FROM testtable WHERE name = ?", "Karl"],
  ["DELETE FROM testtable WHERE name = ?", "Karl"]
]

Response format

[
  null,
  null,
  [
    {
      "age": 45,
      "birthday": "1999-02-05T02:00:00+01:00",
      "id": 1,
      "name": "Karl"
    }
  ],
  null
]