Ask HN: Why aren't SQL queries compiled?
If the database knew what queries were running ahead of time and have them compiled you could easily defend against SQL injection because the SQL isn't being interpreted as it's run, and it would be possible to run analysis over the query to see if there are any indexes or implementations missing that could speed it up. Something like a stored procedure's variable substitution but not interpreted when called.
12 comments
[ 2.9 ms ] story [ 38.4 ms ] threadFor instance if you wanted to make a SQL engine that lets you write a SELECT on tables that are csv files that writes a C program and then compiles it with a C compiler that's up to you.
In particular a SQL engine can compile stored procedures ahead of time and back in the day I worked at a few places that put "business logic" into SQL procedures, that is, 100% of the SQL access is done through stored procedures, the same way that many web applications define a front end in Java or Node that exposes data to a Javascript front end.
If you build an app that way you can put a SQL specialist in charge of the SQL interface and also know the application is immune to SQL injection attacks.
To achieve what OP wants would require a "build time" compilation. And a permission system where a SQL-account is restricted to only run/execute these pre-built queries and commands. No ad-hoc sql allowed at runtime. Stored procs only get you half-way there, ignoring their own invocation is a runtime sql vulnerable to injection.
As of today, good coding practice with parametrized queries and procedure invocation is your only protection. But your app may not "own" the DB. Just a cog in a larger system. What OP is suggesting would move the shield closer to the data for better protection. So the 20+ other apps out of your control don't mess things up.
And that obviously is susceptible to injection attacks.
Really the only general way around this would be if all of those other languages had an API to communicate with a relational backend which did not interpret SQL at all, but rather only offered things like select_statement(fieldname, tablename, ...)
Such interfaces exist, but I'm not really familiar with them, nor why they're not universally used -- except to note that it's a lot of work to create an SQL library. Look at the SQL language; it's a lot to support, particularly if you need to avoid 100 arguments passed to a function, etc. (Just saying one shouldn't leap to trivializing such projects.)
If you want many more gory details, this is a good watch: https://youtu.be/eurwtUhY5fk