PreparedStatement-style parameters support on the REST layer

[astefan]

Similar to https://www.elastic.co/guide/en/elasticsearch/reference/7.x/sql-rest-params.html#sql-rest-params, we should support this type of parameters in requests to the EQL endpoint to prevent any sql-injection kind of attempts.

[elasticmachine]

Pinging @elastic/es-search (:Search/EQL)

[costin]

Note this issue is mainly about the grammar (to support the ? placeholders).

[rw-access]

Does it make sense for to move SqlTypedParamValue to QL? Or should that be duplicated instead for EQL?

elasticsearch/x-pack/plugin/sql/src/main/java/org/elasticsearch/xpack/sql/parser/ExpressionBuilder.java

Lines 139 to 143 in aebda81

	private final Map<Token, SqlTypedParamValue> params;
	ExpressionBuilder(Map<Token, SqlTypedParamValue> params) {
	this.params = params;
	}

[costin]

SQLTypedParam has a value and a type because it is used internally by the SQL drivers (which are typed). This is not the case here - a simple Object should do as JSON would map that to the appropriate number or string.

[costin]

@matriv as this is a minor issue to address and got mentioned in some few discussions, it's worth seeing whether we can address it in our next release. This is low priority however it would be useful to assess its impact by using ? char as we're reviewing the grammar.
There is an old PR for it #52301 though the code base has changed a lot since then.

[elasticsearchmachine]

Pinging @elastic/es-analytical-engine (Team:Analytics)