[This has been pulled from this thread since it was getting so noisy]
Provide for the ability to bind variables to pre-query values without using Prolog syntax, to avoid injection vulnerabilities. Something like
{"query":"player_exists(X)", "bindings":{"X": "Johnny\"),abort. %"}}will save you a lot of headaches.
@dmchurch could you give a scenario here? I’m not sure what you mean (or are proposing)…
I’m saying that if (possibly untrustworthy) user data is used as input to a query, you absolutely do not want your developers to be putting that data into the same string as the query itself. Even if the mqi responder itself isn’t open to public connections, you have no idea how people are going to be using it or who will have access that will let them get bad data into a query, and if it isn’t escaped properly that could cause catastrophe. Read up on SQL injection attacks, if you aren’t familiar with them. And while your Python glue library might automatically do argument escaping and the like on its own, that’s putting the onus of that work on the developer of the front-end, which is exactly the opposite as you’re trying to do here.
In fact, if I were designing this, I’d go one step further. I’d require that the input query isn’t a Prolog term at all, and instead simply takes as input a functor name and its arguments encoded as JSON. No one should be sending complex queries across this interface; this isn’t designed to give full access to the Prolog language after all, but simply to provide the ability to run queries. If more Prolog-type logic needs to be done, it should be written in the Prolog-side code itself and not sent over the MQI.