Why not use SQL instead of GraphQL?Why use services (REST/SOAP) instead of a library?Why to use web services...

What are the differences between the usage of 'it' and 'they'?

What would happen to a modern skyscraper if it rains micro blackholes?

Font hinting is lost in Chrome-like browsers (for some languages )

How does one intimidate enemies without having the capacity for violence?

Can a Warlock become Neutral Good?

Arthur Somervell: 1000 Exercises - Meaning of this notation

can i play a electric guitar through a bass amp?

What typically incentivizes a professor to change jobs to a lower ranking university?

Can I ask the recruiters in my resume to put the reason why I am rejected?

Today is the Center

How to find program name(s) of an installed package?

Why Is Death Allowed In the Matrix?

Smoothness of finite-dimensional functional calculus

Which models of the Boeing 737 are still in production?

Can I make popcorn with any corn?

Can divisibility rules for digits be generalized to sum of digits

Why are electrically insulating heatsinks so rare? Is it just cost?

Why do falling prices hurt debtors?

Why not use SQL instead of GraphQL?

What's the output of a record cartridge playing an out-of-speed record

What defenses are there against being summoned by the Gate spell?

Is it unprofessional to ask if a job posting on GlassDoor is real?

What does it mean to describe someone as a butt steak?

How to write a macro that is braces sensitive?



Why not use SQL instead of GraphQL?


Why use services (REST/SOAP) instead of a library?Why to use web services instead of direct access to a relational database for an android app?Why creating a new MDX language instead of extending SQL?Why use JSP instead of servlets?How to efficiently query movies with characters via The Movie DB API?Is using REST consumed by a Javascript framework on the front-end the same as using microservices?GraphQL - Should I expose link tables?Is there a valid alternative to HTTP headers for sending auth credentialsHow to store blog post in database - React & GraphQLIs GraphQL REST compliant (almost)?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







3















Recently I learned about GraphQL which claims to be superior to RESTful. However, I started wondering why don't we simply put SQL statements into an HTTP GET request.



For example, in GraphQL I would write



{
Movie(id: "cixos5gtq0ogi0126tvekxo27") {
id
title
actors {
name
}
}
}


Which isn't much simpler than its SQL counterpart



SELECT id, title FROM movies WHERE id = cixos5gtq0ogi0126tvekxo27;
SELECT actors.name FROM actors, actors_movies WHERE actors.id == movies.actor_id AND movie.id == cixos5gtq0ogi0126tvekxo27;


Maybe we can URL-encode the query and send to the server



GET endpoint?q=SELECT%20id%2C%20title%20FROM%20movies%20WHERE%20id%20%3D%20cixos5gtq0ogi0126tvekxo27%3B%0ASELECT%20actors.name%20FROM%20actors%2C%20actors_movies%20WHERE%20actors.id%20%3D%3D%20movies.actor_id%20AND%20movie.id%20%3D%3D%20cixos5gtq0ogi0126tvekxo27%3B HTTP/1.1


Yes, the query URL can be too long, but you can put it into the body of a POST request if you don't care about REST compliance. (By the way, I think the HTTP RFC need be revised for REST to make sense: capping the length of query strings mixes implementation with specification at the very beginning)



Directly issuing SQL from the client also has the advantage of




  1. No server-side code/library is required to parse GraphQL, reducing development time.

  2. No server-side overhead is needed to parse GraphQL, reducing runtime.

  3. SQL statements are much more flexible than GraphQL because (in most cases) the latter will reduce to SQL anyway.

  4. Everyone knows SQL.


So, what the advantages GraphQL have over SQL?










share|improve this question









New contributor




nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 18





    Little Bobby Tables.

    – Philip Kendall
    18 hours ago






  • 1





    1. I can still DoS you with arbitrarily complicated SQL queries. 2. There's no chance a malicious actor would ever obtain a valid key...

    – Philip Kendall
    18 hours ago








  • 1





    What you suggest already exists and It doesn't expose your DB to the world as you are suggesting too. It also abstract the QL from the DB so that you can use SQL, noSQL or whatever your DB is.

    – Laiv
    18 hours ago








  • 3





    @nalzok: SQL is Turing-complete, which means it is impossible to validate statically.

    – Jörg W Mittag
    17 hours ago






  • 3





    This is very simple to understand why it's a terrible idea. Implement it yourself. At some point, you will realise that your are investing the time mostly in 1 thing: security. Not too later you will feel somewhat upset because you are implementing a caped TOAD. Then you will realise how hard is mapping rows all over the system and you will try to reinvent the ORM wheel on both sides: client and server. By the time you give up, your PM will ask you for report: how is the users' service going? Is it done?"...

    – Laiv
    13 hours ago




















3















Recently I learned about GraphQL which claims to be superior to RESTful. However, I started wondering why don't we simply put SQL statements into an HTTP GET request.



For example, in GraphQL I would write



{
Movie(id: "cixos5gtq0ogi0126tvekxo27") {
id
title
actors {
name
}
}
}


Which isn't much simpler than its SQL counterpart



SELECT id, title FROM movies WHERE id = cixos5gtq0ogi0126tvekxo27;
SELECT actors.name FROM actors, actors_movies WHERE actors.id == movies.actor_id AND movie.id == cixos5gtq0ogi0126tvekxo27;


Maybe we can URL-encode the query and send to the server



GET endpoint?q=SELECT%20id%2C%20title%20FROM%20movies%20WHERE%20id%20%3D%20cixos5gtq0ogi0126tvekxo27%3B%0ASELECT%20actors.name%20FROM%20actors%2C%20actors_movies%20WHERE%20actors.id%20%3D%3D%20movies.actor_id%20AND%20movie.id%20%3D%3D%20cixos5gtq0ogi0126tvekxo27%3B HTTP/1.1


Yes, the query URL can be too long, but you can put it into the body of a POST request if you don't care about REST compliance. (By the way, I think the HTTP RFC need be revised for REST to make sense: capping the length of query strings mixes implementation with specification at the very beginning)



Directly issuing SQL from the client also has the advantage of




  1. No server-side code/library is required to parse GraphQL, reducing development time.

  2. No server-side overhead is needed to parse GraphQL, reducing runtime.

  3. SQL statements are much more flexible than GraphQL because (in most cases) the latter will reduce to SQL anyway.

  4. Everyone knows SQL.


So, what the advantages GraphQL have over SQL?










share|improve this question









New contributor




nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 18





    Little Bobby Tables.

    – Philip Kendall
    18 hours ago






  • 1





    1. I can still DoS you with arbitrarily complicated SQL queries. 2. There's no chance a malicious actor would ever obtain a valid key...

    – Philip Kendall
    18 hours ago








  • 1





    What you suggest already exists and It doesn't expose your DB to the world as you are suggesting too. It also abstract the QL from the DB so that you can use SQL, noSQL or whatever your DB is.

    – Laiv
    18 hours ago








  • 3





    @nalzok: SQL is Turing-complete, which means it is impossible to validate statically.

    – Jörg W Mittag
    17 hours ago






  • 3





    This is very simple to understand why it's a terrible idea. Implement it yourself. At some point, you will realise that your are investing the time mostly in 1 thing: security. Not too later you will feel somewhat upset because you are implementing a caped TOAD. Then you will realise how hard is mapping rows all over the system and you will try to reinvent the ORM wheel on both sides: client and server. By the time you give up, your PM will ask you for report: how is the users' service going? Is it done?"...

    – Laiv
    13 hours ago
















3












3








3


2






Recently I learned about GraphQL which claims to be superior to RESTful. However, I started wondering why don't we simply put SQL statements into an HTTP GET request.



For example, in GraphQL I would write



{
Movie(id: "cixos5gtq0ogi0126tvekxo27") {
id
title
actors {
name
}
}
}


Which isn't much simpler than its SQL counterpart



SELECT id, title FROM movies WHERE id = cixos5gtq0ogi0126tvekxo27;
SELECT actors.name FROM actors, actors_movies WHERE actors.id == movies.actor_id AND movie.id == cixos5gtq0ogi0126tvekxo27;


Maybe we can URL-encode the query and send to the server



GET endpoint?q=SELECT%20id%2C%20title%20FROM%20movies%20WHERE%20id%20%3D%20cixos5gtq0ogi0126tvekxo27%3B%0ASELECT%20actors.name%20FROM%20actors%2C%20actors_movies%20WHERE%20actors.id%20%3D%3D%20movies.actor_id%20AND%20movie.id%20%3D%3D%20cixos5gtq0ogi0126tvekxo27%3B HTTP/1.1


Yes, the query URL can be too long, but you can put it into the body of a POST request if you don't care about REST compliance. (By the way, I think the HTTP RFC need be revised for REST to make sense: capping the length of query strings mixes implementation with specification at the very beginning)



Directly issuing SQL from the client also has the advantage of




  1. No server-side code/library is required to parse GraphQL, reducing development time.

  2. No server-side overhead is needed to parse GraphQL, reducing runtime.

  3. SQL statements are much more flexible than GraphQL because (in most cases) the latter will reduce to SQL anyway.

  4. Everyone knows SQL.


So, what the advantages GraphQL have over SQL?










share|improve this question









New contributor




nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












Recently I learned about GraphQL which claims to be superior to RESTful. However, I started wondering why don't we simply put SQL statements into an HTTP GET request.



For example, in GraphQL I would write



{
Movie(id: "cixos5gtq0ogi0126tvekxo27") {
id
title
actors {
name
}
}
}


Which isn't much simpler than its SQL counterpart



SELECT id, title FROM movies WHERE id = cixos5gtq0ogi0126tvekxo27;
SELECT actors.name FROM actors, actors_movies WHERE actors.id == movies.actor_id AND movie.id == cixos5gtq0ogi0126tvekxo27;


Maybe we can URL-encode the query and send to the server



GET endpoint?q=SELECT%20id%2C%20title%20FROM%20movies%20WHERE%20id%20%3D%20cixos5gtq0ogi0126tvekxo27%3B%0ASELECT%20actors.name%20FROM%20actors%2C%20actors_movies%20WHERE%20actors.id%20%3D%3D%20movies.actor_id%20AND%20movie.id%20%3D%3D%20cixos5gtq0ogi0126tvekxo27%3B HTTP/1.1


Yes, the query URL can be too long, but you can put it into the body of a POST request if you don't care about REST compliance. (By the way, I think the HTTP RFC need be revised for REST to make sense: capping the length of query strings mixes implementation with specification at the very beginning)



Directly issuing SQL from the client also has the advantage of




  1. No server-side code/library is required to parse GraphQL, reducing development time.

  2. No server-side overhead is needed to parse GraphQL, reducing runtime.

  3. SQL statements are much more flexible than GraphQL because (in most cases) the latter will reduce to SQL anyway.

  4. Everyone knows SQL.


So, what the advantages GraphQL have over SQL?







architecture database web-development api web-services






share|improve this question









New contributor




nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 10 hours ago









whatsisname

25.1k136788




25.1k136788






New contributor




nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 18 hours ago









nalzoknalzok

1285




1285




New contributor




nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






nalzok is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 18





    Little Bobby Tables.

    – Philip Kendall
    18 hours ago






  • 1





    1. I can still DoS you with arbitrarily complicated SQL queries. 2. There's no chance a malicious actor would ever obtain a valid key...

    – Philip Kendall
    18 hours ago








  • 1





    What you suggest already exists and It doesn't expose your DB to the world as you are suggesting too. It also abstract the QL from the DB so that you can use SQL, noSQL or whatever your DB is.

    – Laiv
    18 hours ago








  • 3





    @nalzok: SQL is Turing-complete, which means it is impossible to validate statically.

    – Jörg W Mittag
    17 hours ago






  • 3





    This is very simple to understand why it's a terrible idea. Implement it yourself. At some point, you will realise that your are investing the time mostly in 1 thing: security. Not too later you will feel somewhat upset because you are implementing a caped TOAD. Then you will realise how hard is mapping rows all over the system and you will try to reinvent the ORM wheel on both sides: client and server. By the time you give up, your PM will ask you for report: how is the users' service going? Is it done?"...

    – Laiv
    13 hours ago
















  • 18





    Little Bobby Tables.

    – Philip Kendall
    18 hours ago






  • 1





    1. I can still DoS you with arbitrarily complicated SQL queries. 2. There's no chance a malicious actor would ever obtain a valid key...

    – Philip Kendall
    18 hours ago








  • 1





    What you suggest already exists and It doesn't expose your DB to the world as you are suggesting too. It also abstract the QL from the DB so that you can use SQL, noSQL or whatever your DB is.

    – Laiv
    18 hours ago








  • 3





    @nalzok: SQL is Turing-complete, which means it is impossible to validate statically.

    – Jörg W Mittag
    17 hours ago






  • 3





    This is very simple to understand why it's a terrible idea. Implement it yourself. At some point, you will realise that your are investing the time mostly in 1 thing: security. Not too later you will feel somewhat upset because you are implementing a caped TOAD. Then you will realise how hard is mapping rows all over the system and you will try to reinvent the ORM wheel on both sides: client and server. By the time you give up, your PM will ask you for report: how is the users' service going? Is it done?"...

    – Laiv
    13 hours ago










18




18





Little Bobby Tables.

– Philip Kendall
18 hours ago





Little Bobby Tables.

– Philip Kendall
18 hours ago




1




1





1. I can still DoS you with arbitrarily complicated SQL queries. 2. There's no chance a malicious actor would ever obtain a valid key...

– Philip Kendall
18 hours ago







1. I can still DoS you with arbitrarily complicated SQL queries. 2. There's no chance a malicious actor would ever obtain a valid key...

– Philip Kendall
18 hours ago






1




1





What you suggest already exists and It doesn't expose your DB to the world as you are suggesting too. It also abstract the QL from the DB so that you can use SQL, noSQL or whatever your DB is.

– Laiv
18 hours ago







What you suggest already exists and It doesn't expose your DB to the world as you are suggesting too. It also abstract the QL from the DB so that you can use SQL, noSQL or whatever your DB is.

– Laiv
18 hours ago






3




3





@nalzok: SQL is Turing-complete, which means it is impossible to validate statically.

– Jörg W Mittag
17 hours ago





@nalzok: SQL is Turing-complete, which means it is impossible to validate statically.

– Jörg W Mittag
17 hours ago




3




3





This is very simple to understand why it's a terrible idea. Implement it yourself. At some point, you will realise that your are investing the time mostly in 1 thing: security. Not too later you will feel somewhat upset because you are implementing a caped TOAD. Then you will realise how hard is mapping rows all over the system and you will try to reinvent the ORM wheel on both sides: client and server. By the time you give up, your PM will ask you for report: how is the users' service going? Is it done?"...

– Laiv
13 hours ago







This is very simple to understand why it's a terrible idea. Implement it yourself. At some point, you will realise that your are investing the time mostly in 1 thing: security. Not too later you will feel somewhat upset because you are implementing a caped TOAD. Then you will realise how hard is mapping rows all over the system and you will try to reinvent the ORM wheel on both sides: client and server. By the time you give up, your PM will ask you for report: how is the users' service going? Is it done?"...

– Laiv
13 hours ago












4 Answers
4






active

oldest

votes


















15














Basically, abstraction.



SQL requires your clients to know your exact database structure, which is not good. On top of that, analysing the SQL in order to perform special operations based on the value sent as the input is a really difficult thing to do. There are entire softwares which are pretty much responsible only for that. Do you know what those are? If you have guessed the databases, you are right.



Thanks to not exposing the SQL directly, you are not limiting the consumer of the API to the internal representation of your database. You easily expose only what you want to expose.



And since clients of the API depend only on the abstraction, you are free to have as many layers as possible between the API input and the actual database (security, caching, loading data from multiple databases on a single request,...).



For public services, exposing a database directly is pretty much never the right approach. If you however have a few internal systems, sure, your approach might make sense but even then it might just be easier to connect to application A's database directly from Application B by giving the database credentials to the Application B, rather than trying to come up with a custom HTTP interface for the database SQL language.






Why can't I just compare the URL (or SQL query) against keys in Redis
before performing the actual query on the RDBMS?




Because it's not easy. Even if someone uses a very simple query, such as:



SELECT st.id, jt.name
FROM some_table st
INNER JOIN join_table jt ON jt.some_table_id = st.id
WHERE st.name = 'hello
world' AND st.type = 'STANDARD'


how do you make sure the result is properly cached? This query includes newlines, but someone could just as well write the query in the following way:



SELECT st.id, jt.name FROM some_table st INNER JOIN join_table jt ON jt.some_table_id = st.id WHERE st.name = 'hello
world' AND st.type = 'STANDARD'


and it's still supposed to be cached in the same way as the one above. I have specifically included a where in which a string search contains a new line, so simply finding line endings and replacing them with a space is not going to work here, parsing the request correctly would be much more complicated.



And even if you do fix that, another query could switch the order of conditions and the query would look like this:



SELECT st.id, jt.name
FROM some_table st
INNER JOIN join_table jt ON jt.some_table_id = st.id
WHERE st.type = 'STANDARD' AND st.name = 'hello
world'


and another request could contain a redundant WHERE argument, like this:



SELECT st.id, jt.name
FROM some_table st
INNER JOIN join_table jt ON jt.some_table_id = st.id
WHERE st.type = 'STANDARD' AND st.name = 'hello
world' AND st.stype = 'STANDARD'


All of those queries are still supposed to return the same result, should be cached in the same way. But handling all of the possible options is pretty much impossible. That's why you cannot simply compare the URL against keys in Redis.






share|improve this answer

































    6














    In theory there is no reason you can't expose an SQL interface like this.



    In practice SQL is far too powerful to be effectively limited to the security scope you want to expose.



    Even if you allow only read access, a bad query can still hog resources.



    Other languages such as graphQL are designed to be exposed. They are merely giving users a filter option on what they could already see.



    The benefit of using these languages is that they have gone through all the things you would want to stop users doing in SQL and taken them off the table.






    share|improve this answer

































      0














      if you want expose SQL like GraphQL, you will could need something like GraphQL, because you will need hide the important information and select what you want to show in the API, this for security.



      GraphQl and SQL are different things, SQL is the language to query DataBase and GraphQL is only to manage the data from API,in API you will need make yours schemas to show and querys to manage it, etc.



      in any API you will need make those things for simply security, but if you want something that is free data access maybe it would work, you know so many alternatives in the software world






      share|improve this answer































        0














        As others have mentioned, exposing SQL directly in the api is a very bad option. GraphQL, despite it's name, is not an abstraction for SQL, but for any data store or even other services.



        If you are looking for an abstraction that is closer to SQL, you might want to have a look at odata (if you happen to work in .NET backends, though maybe other implementations exist).






        share|improve this answer
























          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "131"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          nalzok is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsoftwareengineering.stackexchange.com%2fquestions%2f389900%2fwhy-not-use-sql-instead-of-graphql%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          4 Answers
          4






          active

          oldest

          votes








          4 Answers
          4






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          15














          Basically, abstraction.



          SQL requires your clients to know your exact database structure, which is not good. On top of that, analysing the SQL in order to perform special operations based on the value sent as the input is a really difficult thing to do. There are entire softwares which are pretty much responsible only for that. Do you know what those are? If you have guessed the databases, you are right.



          Thanks to not exposing the SQL directly, you are not limiting the consumer of the API to the internal representation of your database. You easily expose only what you want to expose.



          And since clients of the API depend only on the abstraction, you are free to have as many layers as possible between the API input and the actual database (security, caching, loading data from multiple databases on a single request,...).



          For public services, exposing a database directly is pretty much never the right approach. If you however have a few internal systems, sure, your approach might make sense but even then it might just be easier to connect to application A's database directly from Application B by giving the database credentials to the Application B, rather than trying to come up with a custom HTTP interface for the database SQL language.






          Why can't I just compare the URL (or SQL query) against keys in Redis
          before performing the actual query on the RDBMS?




          Because it's not easy. Even if someone uses a very simple query, such as:



          SELECT st.id, jt.name
          FROM some_table st
          INNER JOIN join_table jt ON jt.some_table_id = st.id
          WHERE st.name = 'hello
          world' AND st.type = 'STANDARD'


          how do you make sure the result is properly cached? This query includes newlines, but someone could just as well write the query in the following way:



          SELECT st.id, jt.name FROM some_table st INNER JOIN join_table jt ON jt.some_table_id = st.id WHERE st.name = 'hello
          world' AND st.type = 'STANDARD'


          and it's still supposed to be cached in the same way as the one above. I have specifically included a where in which a string search contains a new line, so simply finding line endings and replacing them with a space is not going to work here, parsing the request correctly would be much more complicated.



          And even if you do fix that, another query could switch the order of conditions and the query would look like this:



          SELECT st.id, jt.name
          FROM some_table st
          INNER JOIN join_table jt ON jt.some_table_id = st.id
          WHERE st.type = 'STANDARD' AND st.name = 'hello
          world'


          and another request could contain a redundant WHERE argument, like this:



          SELECT st.id, jt.name
          FROM some_table st
          INNER JOIN join_table jt ON jt.some_table_id = st.id
          WHERE st.type = 'STANDARD' AND st.name = 'hello
          world' AND st.stype = 'STANDARD'


          All of those queries are still supposed to return the same result, should be cached in the same way. But handling all of the possible options is pretty much impossible. That's why you cannot simply compare the URL against keys in Redis.






          share|improve this answer






























            15














            Basically, abstraction.



            SQL requires your clients to know your exact database structure, which is not good. On top of that, analysing the SQL in order to perform special operations based on the value sent as the input is a really difficult thing to do. There are entire softwares which are pretty much responsible only for that. Do you know what those are? If you have guessed the databases, you are right.



            Thanks to not exposing the SQL directly, you are not limiting the consumer of the API to the internal representation of your database. You easily expose only what you want to expose.



            And since clients of the API depend only on the abstraction, you are free to have as many layers as possible between the API input and the actual database (security, caching, loading data from multiple databases on a single request,...).



            For public services, exposing a database directly is pretty much never the right approach. If you however have a few internal systems, sure, your approach might make sense but even then it might just be easier to connect to application A's database directly from Application B by giving the database credentials to the Application B, rather than trying to come up with a custom HTTP interface for the database SQL language.






            Why can't I just compare the URL (or SQL query) against keys in Redis
            before performing the actual query on the RDBMS?




            Because it's not easy. Even if someone uses a very simple query, such as:



            SELECT st.id, jt.name
            FROM some_table st
            INNER JOIN join_table jt ON jt.some_table_id = st.id
            WHERE st.name = 'hello
            world' AND st.type = 'STANDARD'


            how do you make sure the result is properly cached? This query includes newlines, but someone could just as well write the query in the following way:



            SELECT st.id, jt.name FROM some_table st INNER JOIN join_table jt ON jt.some_table_id = st.id WHERE st.name = 'hello
            world' AND st.type = 'STANDARD'


            and it's still supposed to be cached in the same way as the one above. I have specifically included a where in which a string search contains a new line, so simply finding line endings and replacing them with a space is not going to work here, parsing the request correctly would be much more complicated.



            And even if you do fix that, another query could switch the order of conditions and the query would look like this:



            SELECT st.id, jt.name
            FROM some_table st
            INNER JOIN join_table jt ON jt.some_table_id = st.id
            WHERE st.type = 'STANDARD' AND st.name = 'hello
            world'


            and another request could contain a redundant WHERE argument, like this:



            SELECT st.id, jt.name
            FROM some_table st
            INNER JOIN join_table jt ON jt.some_table_id = st.id
            WHERE st.type = 'STANDARD' AND st.name = 'hello
            world' AND st.stype = 'STANDARD'


            All of those queries are still supposed to return the same result, should be cached in the same way. But handling all of the possible options is pretty much impossible. That's why you cannot simply compare the URL against keys in Redis.






            share|improve this answer




























              15












              15








              15







              Basically, abstraction.



              SQL requires your clients to know your exact database structure, which is not good. On top of that, analysing the SQL in order to perform special operations based on the value sent as the input is a really difficult thing to do. There are entire softwares which are pretty much responsible only for that. Do you know what those are? If you have guessed the databases, you are right.



              Thanks to not exposing the SQL directly, you are not limiting the consumer of the API to the internal representation of your database. You easily expose only what you want to expose.



              And since clients of the API depend only on the abstraction, you are free to have as many layers as possible between the API input and the actual database (security, caching, loading data from multiple databases on a single request,...).



              For public services, exposing a database directly is pretty much never the right approach. If you however have a few internal systems, sure, your approach might make sense but even then it might just be easier to connect to application A's database directly from Application B by giving the database credentials to the Application B, rather than trying to come up with a custom HTTP interface for the database SQL language.






              Why can't I just compare the URL (or SQL query) against keys in Redis
              before performing the actual query on the RDBMS?




              Because it's not easy. Even if someone uses a very simple query, such as:



              SELECT st.id, jt.name
              FROM some_table st
              INNER JOIN join_table jt ON jt.some_table_id = st.id
              WHERE st.name = 'hello
              world' AND st.type = 'STANDARD'


              how do you make sure the result is properly cached? This query includes newlines, but someone could just as well write the query in the following way:



              SELECT st.id, jt.name FROM some_table st INNER JOIN join_table jt ON jt.some_table_id = st.id WHERE st.name = 'hello
              world' AND st.type = 'STANDARD'


              and it's still supposed to be cached in the same way as the one above. I have specifically included a where in which a string search contains a new line, so simply finding line endings and replacing them with a space is not going to work here, parsing the request correctly would be much more complicated.



              And even if you do fix that, another query could switch the order of conditions and the query would look like this:



              SELECT st.id, jt.name
              FROM some_table st
              INNER JOIN join_table jt ON jt.some_table_id = st.id
              WHERE st.type = 'STANDARD' AND st.name = 'hello
              world'


              and another request could contain a redundant WHERE argument, like this:



              SELECT st.id, jt.name
              FROM some_table st
              INNER JOIN join_table jt ON jt.some_table_id = st.id
              WHERE st.type = 'STANDARD' AND st.name = 'hello
              world' AND st.stype = 'STANDARD'


              All of those queries are still supposed to return the same result, should be cached in the same way. But handling all of the possible options is pretty much impossible. That's why you cannot simply compare the URL against keys in Redis.






              share|improve this answer















              Basically, abstraction.



              SQL requires your clients to know your exact database structure, which is not good. On top of that, analysing the SQL in order to perform special operations based on the value sent as the input is a really difficult thing to do. There are entire softwares which are pretty much responsible only for that. Do you know what those are? If you have guessed the databases, you are right.



              Thanks to not exposing the SQL directly, you are not limiting the consumer of the API to the internal representation of your database. You easily expose only what you want to expose.



              And since clients of the API depend only on the abstraction, you are free to have as many layers as possible between the API input and the actual database (security, caching, loading data from multiple databases on a single request,...).



              For public services, exposing a database directly is pretty much never the right approach. If you however have a few internal systems, sure, your approach might make sense but even then it might just be easier to connect to application A's database directly from Application B by giving the database credentials to the Application B, rather than trying to come up with a custom HTTP interface for the database SQL language.






              Why can't I just compare the URL (or SQL query) against keys in Redis
              before performing the actual query on the RDBMS?




              Because it's not easy. Even if someone uses a very simple query, such as:



              SELECT st.id, jt.name
              FROM some_table st
              INNER JOIN join_table jt ON jt.some_table_id = st.id
              WHERE st.name = 'hello
              world' AND st.type = 'STANDARD'


              how do you make sure the result is properly cached? This query includes newlines, but someone could just as well write the query in the following way:



              SELECT st.id, jt.name FROM some_table st INNER JOIN join_table jt ON jt.some_table_id = st.id WHERE st.name = 'hello
              world' AND st.type = 'STANDARD'


              and it's still supposed to be cached in the same way as the one above. I have specifically included a where in which a string search contains a new line, so simply finding line endings and replacing them with a space is not going to work here, parsing the request correctly would be much more complicated.



              And even if you do fix that, another query could switch the order of conditions and the query would look like this:



              SELECT st.id, jt.name
              FROM some_table st
              INNER JOIN join_table jt ON jt.some_table_id = st.id
              WHERE st.type = 'STANDARD' AND st.name = 'hello
              world'


              and another request could contain a redundant WHERE argument, like this:



              SELECT st.id, jt.name
              FROM some_table st
              INNER JOIN join_table jt ON jt.some_table_id = st.id
              WHERE st.type = 'STANDARD' AND st.name = 'hello
              world' AND st.stype = 'STANDARD'


              All of those queries are still supposed to return the same result, should be cached in the same way. But handling all of the possible options is pretty much impossible. That's why you cannot simply compare the URL against keys in Redis.







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited 6 hours ago

























              answered 13 hours ago









              AndyAndy

              7,59711438




              7,59711438

























                  6














                  In theory there is no reason you can't expose an SQL interface like this.



                  In practice SQL is far too powerful to be effectively limited to the security scope you want to expose.



                  Even if you allow only read access, a bad query can still hog resources.



                  Other languages such as graphQL are designed to be exposed. They are merely giving users a filter option on what they could already see.



                  The benefit of using these languages is that they have gone through all the things you would want to stop users doing in SQL and taken them off the table.






                  share|improve this answer






























                    6














                    In theory there is no reason you can't expose an SQL interface like this.



                    In practice SQL is far too powerful to be effectively limited to the security scope you want to expose.



                    Even if you allow only read access, a bad query can still hog resources.



                    Other languages such as graphQL are designed to be exposed. They are merely giving users a filter option on what they could already see.



                    The benefit of using these languages is that they have gone through all the things you would want to stop users doing in SQL and taken them off the table.






                    share|improve this answer




























                      6












                      6








                      6







                      In theory there is no reason you can't expose an SQL interface like this.



                      In practice SQL is far too powerful to be effectively limited to the security scope you want to expose.



                      Even if you allow only read access, a bad query can still hog resources.



                      Other languages such as graphQL are designed to be exposed. They are merely giving users a filter option on what they could already see.



                      The benefit of using these languages is that they have gone through all the things you would want to stop users doing in SQL and taken them off the table.






                      share|improve this answer















                      In theory there is no reason you can't expose an SQL interface like this.



                      In practice SQL is far too powerful to be effectively limited to the security scope you want to expose.



                      Even if you allow only read access, a bad query can still hog resources.



                      Other languages such as graphQL are designed to be exposed. They are merely giving users a filter option on what they could already see.



                      The benefit of using these languages is that they have gone through all the things you would want to stop users doing in SQL and taken them off the table.







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited 8 hours ago

























                      answered 11 hours ago









                      EwanEwan

                      43.2k33695




                      43.2k33695























                          0














                          if you want expose SQL like GraphQL, you will could need something like GraphQL, because you will need hide the important information and select what you want to show in the API, this for security.



                          GraphQl and SQL are different things, SQL is the language to query DataBase and GraphQL is only to manage the data from API,in API you will need make yours schemas to show and querys to manage it, etc.



                          in any API you will need make those things for simply security, but if you want something that is free data access maybe it would work, you know so many alternatives in the software world






                          share|improve this answer




























                            0














                            if you want expose SQL like GraphQL, you will could need something like GraphQL, because you will need hide the important information and select what you want to show in the API, this for security.



                            GraphQl and SQL are different things, SQL is the language to query DataBase and GraphQL is only to manage the data from API,in API you will need make yours schemas to show and querys to manage it, etc.



                            in any API you will need make those things for simply security, but if you want something that is free data access maybe it would work, you know so many alternatives in the software world






                            share|improve this answer


























                              0












                              0








                              0







                              if you want expose SQL like GraphQL, you will could need something like GraphQL, because you will need hide the important information and select what you want to show in the API, this for security.



                              GraphQl and SQL are different things, SQL is the language to query DataBase and GraphQL is only to manage the data from API,in API you will need make yours schemas to show and querys to manage it, etc.



                              in any API you will need make those things for simply security, but if you want something that is free data access maybe it would work, you know so many alternatives in the software world






                              share|improve this answer













                              if you want expose SQL like GraphQL, you will could need something like GraphQL, because you will need hide the important information and select what you want to show in the API, this for security.



                              GraphQl and SQL are different things, SQL is the language to query DataBase and GraphQL is only to manage the data from API,in API you will need make yours schemas to show and querys to manage it, etc.



                              in any API you will need make those things for simply security, but if you want something that is free data access maybe it would work, you know so many alternatives in the software world







                              share|improve this answer












                              share|improve this answer



                              share|improve this answer










                              answered 8 hours ago









                              Jorge Félix CazarezJorge Félix Cazarez

                              63




                              63























                                  0














                                  As others have mentioned, exposing SQL directly in the api is a very bad option. GraphQL, despite it's name, is not an abstraction for SQL, but for any data store or even other services.



                                  If you are looking for an abstraction that is closer to SQL, you might want to have a look at odata (if you happen to work in .NET backends, though maybe other implementations exist).






                                  share|improve this answer




























                                    0














                                    As others have mentioned, exposing SQL directly in the api is a very bad option. GraphQL, despite it's name, is not an abstraction for SQL, but for any data store or even other services.



                                    If you are looking for an abstraction that is closer to SQL, you might want to have a look at odata (if you happen to work in .NET backends, though maybe other implementations exist).






                                    share|improve this answer


























                                      0












                                      0








                                      0







                                      As others have mentioned, exposing SQL directly in the api is a very bad option. GraphQL, despite it's name, is not an abstraction for SQL, but for any data store or even other services.



                                      If you are looking for an abstraction that is closer to SQL, you might want to have a look at odata (if you happen to work in .NET backends, though maybe other implementations exist).






                                      share|improve this answer













                                      As others have mentioned, exposing SQL directly in the api is a very bad option. GraphQL, despite it's name, is not an abstraction for SQL, but for any data store or even other services.



                                      If you are looking for an abstraction that is closer to SQL, you might want to have a look at odata (if you happen to work in .NET backends, though maybe other implementations exist).







                                      share|improve this answer












                                      share|improve this answer



                                      share|improve this answer










                                      answered 7 hours ago









                                      jannikbjannikb

                                      513




                                      513






















                                          nalzok is a new contributor. Be nice, and check out our Code of Conduct.










                                          draft saved

                                          draft discarded


















                                          nalzok is a new contributor. Be nice, and check out our Code of Conduct.













                                          nalzok is a new contributor. Be nice, and check out our Code of Conduct.












                                          nalzok is a new contributor. Be nice, and check out our Code of Conduct.
















                                          Thanks for contributing an answer to Software Engineering Stack Exchange!


                                          • Please be sure to answer the question. Provide details and share your research!

                                          But avoid



                                          • Asking for help, clarification, or responding to other answers.

                                          • Making statements based on opinion; back them up with references or personal experience.


                                          To learn more, see our tips on writing great answers.




                                          draft saved


                                          draft discarded














                                          StackExchange.ready(
                                          function () {
                                          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsoftwareengineering.stackexchange.com%2fquestions%2f389900%2fwhy-not-use-sql-instead-of-graphql%23new-answer', 'question_page');
                                          }
                                          );

                                          Post as a guest















                                          Required, but never shown





















































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown

































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown







                                          Popular posts from this blog

                                          Can't compile dgruyter and caption packagesLaTeX templates/packages for writing a patent specificationLatex...

                                          Schneeberg (Smreczany) Bibliografia | Menu...

                                          Hans Bellmer Spis treści Życiorys | Upamiętnienie | Przypisy | Bibliografia | Linki zewnętrzne |...