• corroded@lemmy.world
    link
    fedilink
    English
    arrow-up
    31
    ·
    2 months ago

    You’ve got to wrap the already basically-just-English SQL database in a layer of abstraction, then serve that as a proprietary API that’s impossible to access without a precompiled library that targets a programming language you’re not using and exposes methods that are 10x more difficult to use than a SELECT statement.

    • Wilzax@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      ·
      2 months ago

      You significantly cut down on SQLi vulnerability by obscuring the database behind multiple layers of API calls though

      • corroded@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        Do you really? If you have permissions set up properly, it really seems like an API over a read-only SQL server is just an unnecessary layer of abstraction.

        • Wilzax@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          2 months ago

          If your database is really big and suffers from large volumes of queries in a short time, it’s easier to implement rate limiting in the API than by configuring SQL server permissions.

          It’s also easier to interact with stored procedures across multiple databases, from multiple clients, if you have a 1-to-1 API wrapper for your database procedures. This also lets you serialize your database response in a potentially more portable format than what your database returns directly, such as JSON.

          The API wrapper isn’t a silver bullet for security and scalability, but it is a unified framework to configure better security policies and unify multiple databases.

          I admit, however, that multiple layers of API abstraction is a bit of a meme, just to keep everyone on their toes.

    • SirQuackTheDuck@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      2 months ago

      My job consists of creating internal apis for databases to be consumed by internal systems. So yes, wrapping databases in APIs is very common and sometimes required.

      The part I find weird of my job, is that the database isn’t one of our team. We’re accessing someone else’s database, to be consumed by our own api, and writing a api to do so nicely. That’s the crooked part.