I am writing an internal API for my company which allows users to pass in SharePoint CAML query. In side my function I take to user's query, and add some additional elements to it and then use the final query to retrieve required data from SharePoint.
Example:
User passes in:
<Query>
<Where>
<Eq>
<FieldRef Name='Category' />
<Value Type='Choice'>Bug</Value>
</Eq>
</Where>
</Query>
Internally, I modify the query to be:
<Query>
<Where>
<And>
<Eq>
<FieldRef Name='Category' />
<Value Type='Choice'>Bug</Value>
</Eq>
<Eq>
<FieldRef Name='AssignedTo' />
<Value Type='Integer'><UserID /></Value>
</Eq>
</And>
</Where>
</Query>
What do you think is the best way to validate queries sent by users?
If the queries that you're going to allow are fairly restricted, it might be a good approach to build a schema to represent what a valid query would be. Then you could just see if their xml is valid according to that schema. Also, I know that you can use the CAML Builder dll from code. I can't find an example of this right away, but there may be a way to use it's CAML building methods in a try/catch block to stop invalid queries from ever getting built.
Also, it occurs to me that you may need to watch out for the fact that the CAML query's FieldRef will need to be built using the internal name of the field which may differ from the display name.