/api-filter

A PHP parser for a sql-like filter

Primary LanguagePHPMIT LicenseMIT

FattureInCloud API Filter

This PHP library makes possible to parse a string parameter and use it to initialize a Filter that can be used on REST APIs; the input string is based on a simplified SQL-like WHERE clause, making it easy to understand and use.

The library returns a class-based representation of the filter, that can be used to generate the actual filter to apply to your API requests.

Disclaimer

This library is currently focused on parsing and building the representation of the query, it does not validate the query itself. For example, it doesn't check if a field exists or if it is supported by your filters, and it doesn't enforce permissions checks on the query. You should take care of it on your own.

Even if this filter uses a grammar that should reduce the risk of SQL Injection, you should adopt some strategy to validate the filters and avoid executing unsafe queries.

Install

Via Composer

$ composer require fattureincloud/api-filter

Usage

To parse a filter string, you can use the FattureInCloud\ApiFilter\FilterFactory class:

use FattureInCloud\ApiFilter\FilterFactory

$str = "id = 5";
$factory = new FilterFactory();

$filter = $factory->initFilter($str);

The returned filter will be a composition of the classes contained in the FattureInCloud\ApiFilter\Filter package.

The string is based on triplets:

field op value

The field is a lowercase string, with dots and underscores.

The op is one of the following (unquoted):

  • Equal: '='
  • Greater than: '>'
  • Greater than or equal to: '>='
  • Less than: '<'
  • Less than or equal to: '<='
  • Not equal: '<>', '!='

The value can be one of:

  • String: 'value'
  • Booleam: true, false
  • Int: 46
  • Double: 12.34

You can escape the single quote in a string value by doubling it. The filter will take care of returning the expected string.

It is also possible to match a String against a Pattern using one of those operators:

  • Like: 'like', 'LIKE'
  • Contains: 'contains', 'CONTAINS'
  • Starts With: 'starts with', 'STARTS WITH'
  • Ends With: 'ends with', 'ENDS WITH'

Like and Contains can also be negated:

  • Not Like: 'not like', 'NOT LIKE'
  • Not Contains: 'not contains', 'NOT CONTAINS'

Additionally, it is possible to check if field has a value or not, using NULL:

  • Null field: 'IS NULL', 'is null', '= null', '= NULL'
  • Not Null field: 'IS NOT NULL', 'is not null', '<> null', '!= null', '<> NULL', '!= NULL'

It is possible to use the following operators:

  • Conjunction: 'and', 'AND'
  • Disjunction: 'or', 'OR'

Parenthesis can be used to compose complex expressions.

For example:

city = 'Bergamo' and (age < 30 or (dev = true and (name = 'Giorgio' and surname is not null) or employer starts with 'Fatture'))

Testing

$ composer test

Parser generation

The parser was generated automatically using ANTLR and the PHP target; it is placed in the FattureInCloud\ApiFilter\Parser repository. Usually you should not directly manage the parser: the FilterFactory class is a wrapper that manages it for you.

The grammar is placed under the /grammar folder, if needed you can trigger the parser generation using docker and composer:

$ composer generate

If needed, you can generate a parser in another language changing the ANTLR target in the entrypoint.sh file.

License

The MIT License (MIT).