March 2026 (databendlabs/databend) highlights include delivering secure HTTP query parameter binding for the /v1/query endpoint, expanding safe parameter handling and test coverage, and reinforcing the security posture of the HTTP API. Key features delivered: - Implemented server-side parameter binding for HTTP queries on /v1/query with support for both positional (JSON array) and named (JSON object) parameters. - Enforced AST-level parameter substitution to prevent SQL injection by converting values to literal AST nodes prior to execution. - Added stateless integration tests covering all parameter binding scenarios to verify correctness and prevent regressions. - Updated parsing logic so that when params are provided, raw INSERT/REPLACE parsing is bypassed and parameters are wrapped with parse_json() for proper type casting (variant/array/map). Major bugs fixed: - None reported this month. Overall impact and accomplishments: - Strengthened security for dynamic HTTP queries, enabling safer client-driven parameterization and reducing SQL injection risk. - Improved reliability and confidence in the /v1/query API through comprehensive integration tests and robust parsing logic. - Demonstrated end-to-end delivery from feature inception to testing and release readiness. Technologies/skills demonstrated: - Backend/API development, Rust-related server-side programming, AST transformations, secure coding practices, integration testing, JSON handling and parameter binding workflows.