But if you let callers use SQL for CRUD operations, you have to give them the ability to execute arbitrary SQL, and there’s no guarantee they’ll only do CRUD operations.
Yes, you could enforce that through code review, but it’s easier to do by using the access control mechanisms of the database. That also would catch any problems before code review.
Yes, you could enforce that through code review, but it’s easier to do by using the access control mechanisms of the database. That also would catch any problems before code review.