1

I'm writing API for a mongo database. I need to pass JSON object as GET parameter:

example.com/api/obj/list/1/?find={"foo":"bar"}

How should I organize this better?

I thought about using JSON-like objects without quotes and spaces, for example:

{$or:[{a:foo+bar},{b:2}]}

So is there any tools to parse it in Python/Django?

Improve this question
1
  • You can also URL encode or Base64 encode the data (which will result in a longer string). Commented Dec 9, 2010 at 9:29

1 Answer 1

Reset to default
3

It should be fine as long as the JSON objects aren't too big, they don't contain sensitive data (it sucks to see your password in your browser history) and you URL-escape them.

Unfortunately, you have to take shortcuts if you want to have a human-readable JSON parameter. All JSON brackets ({, }, [, ]) are recommended for escaping. You don't have to escape them, but you are taking a risk if you don't. More annoying is the :, which is ubiquitous in JSON and must be escaped.

If you want human-readable query strings, then the sensible solution is to encode all query parameters explicitly. A compromise that might work quite well is to unpack the top-level JSON object into explicit query parameters, each of remains JSON-encoded. Going a small step further, you could drop any top-level delimiters that remain, e.g.:

JSON: {"foo":"bar", "items":[1, 2, 3], "staff":{"id":432, "first":"John", "last":"Doe"}}
Query: foo=bar&items=1,2,3&staff="id"%3A432,"first"%3A"John","last"%3A"Doe"

Since you know that foo is a string, items is an array and staff is an object, you can rehydrate the JSON syntax correctly before sending the lot to a JSON parser.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Well, Mongo collections contain reports with open data, so I won't store personal information. Nevertheless I can filter some parameters. I don't want pass JSON because of increasing its size while escaping. Also it would be nice to pass human readable query
@San4ez: I've amended my answer in response to this.
Thanks for your response. I choose usage of JSON object. Some web tools (e.g. phpmoadmin) also do it. Is it safe? I mean smth like SQL ingection?
@San4ez: JSON is perfectly safe as long as you use a good JSON parser that returns language-level objects. The tricks I've suggested in my amended answer are slightly hazardous in this respect, since you are trusting that the origin is placing sensible JSON in the query fields. Personally, I would forego readability and just encode the entire JSON object directly. It isn't that unreadable, anyway.
@San4ez: Actually, the equivalent of SQL-injection would be something like '{"operation":"newaccount","name":"%s"}' % (nameFld.text,), where someone types Jones","admin":true,"xxx":" into the name field. So, use a JSON serializer and you'll be just fine.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.