The Lemmy server then going to receive that “message” from the UI and use it to execute something like
INSERTINTO posts SET title='my post' body='thoughts and stuff, I dunno' author_id='my user id'
This is fine.
What’s actually the problem is if you do something more complex, like if the UI queries for all posts by a set of authors where the time they were submitted was between some specific date range with contents matching blah blah blah and some other criteria. Make a the right query and you might hit a situation where the database behind the Lemmy server doesn’t have the data organized (think, like, a library; how things are organized by author name, or book title) in a way that makes finding matching results an easy thing to do; and instead the database need to look over every. single. post. multiple times to gather up the right results.
Normally there’s a separation between raw SQL and commands being issued by the UI to avoid what you’re describing (SQL Injection).
For example, the UI might call
/posts/new
with a JSON body describing the new post, this might look like,NewPost { title: String, body: String, author: UserId }
The Lemmy server then going to receive that “message” from the UI and use it to execute something like
INSERT INTO posts SET title='my post' body='thoughts and stuff, I dunno' author_id='my user id'
This is fine.
What’s actually the problem is if you do something more complex, like if the UI queries for all posts by a set of authors where the time they were submitted was between some specific date range with contents matching blah blah blah and some other criteria. Make a the right query and you might hit a situation where the database behind the Lemmy server doesn’t have the data organized (think, like, a library; how things are organized by author name, or book title) in a way that makes finding matching results an easy thing to do; and instead the database need to look over every. single. post. multiple times to gather up the right results.
Now do this 1000s of times in quick succession.