Site icon API Security Blog

Don’t use GraphQL in production without a security review.

2. Parsing a GraphQL Operation vs. parsing an SQL query#

Why? Why is GraphQL so much more vulnerable than e.g. MySQL? Let’s compare the antlr grammar for parsing an SQL query against the one for parsing a GraphQL Operation:

The SQL parser has around 50 lines of code, while the graphql-js parser has 325 lines of code (and that’s not even counting all the other libraries). So, it’s fair to say that there are way more years of experience and expertise in parsing SQL queries than parsing GraphQL Operations/Queries/Mutations/Subscriptions etc.
https://t.co/4TEcJVrEXX

Exit mobile version