We have a need coming up in an application where the following is true:
- A web page uses AJAX to request data from a server.
- The specification of the data (e. g. table name) requested from the server will not be known until run-time.
- The configuration of the data view is itself data-driven, and configurable by an administrator.
- Data updates and inserts must be supported, not just views.
Prototyping this was very easy - we could pass in the appropriate information (table name, changeset, whatever) to a generic data service that just did what it was told (using JSON as the data storage mechanism). The data service could do basic validation on the parameters to ensure the current user can perform the requested operation (read the data, insert a row, read the row).
The issue we have now that we are looking to doing this is a secure production manner, and the idea of passing table names and column names is frightening. Everything we think of to deal with this devolves into trusting the client in some significant way, or seems to involve substantial bookkeeping on the server. For example:
- User requests a viewing page.
- The server notes the table name and saves it server side with a request ID
- The server notes the column names and saves them, replacing them with "col1, col2", etc., and stores the mapping with the request ID data.
- The client page sends the request ID to the service, which looks up the server storage by ID
- The service returns col1, col2, etc.
This would work, we think, but feels very messy.
Does anyone have experience with this kind of problem and can offer a solution?