cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Stevens <at...@hotmail.com>
Subject RE: Cocoon database access strategy
Date Sun, 01 Jul 2007 01:54:42 GMT

Bloody hotmail appears to have stripped out all my sql & xsl namespaced XML elements :-(
Anyone know how to disable this in the new "improved" interface?

> From: ats37@hotmail.com
> Date: Sun, 1 Jul 2007 02:35:03 +0100
> 
> > Date: Sun, 24 Jun 2007 11:14:38 +0200
> > From: tobia.conforto@linux.it
> > 
> > Rob Frohwein wrote:
> > > - query1.xml    using SqlTransformer on table1
> > > - cleansql.xsl  rename 
> > > - process1.xsl  reorganize
> > > - query2.xsl    query different table
> > > - cleansql.xsl  rename 
> > > - process2.xsl  reorganize
> > > ...
> > >
> > > It works, but is this the "right" approach?
> > 
> ...
> > 
> > It works well, but it has some security and performance problems (more
> > on that in a minute) so I'd like to know if there's a better approach.
> > 
> > One of the problems with the SQL Transformer, when used with XSLT in
> > this fashion, is that it lacks support for prepared statements and
> > parameters.  Without parameters ( in XSP) you have the
> > same security problems you would have in badly written PHP:
> > 
> > 	SELECT ...
> > 	FROM ...
> > 	WHERE name = ''
> > 
> > You did think of this problem, didn't you? :) I can post my:addslashes()
> > if you want.  In any case you will agree that composing queries this way
> > is... "antiquated" at best.
> > 
> > The compiled query cannot be cached (as a prepared statement would),
> > because it changes with every request, and I fear the SQL Transformer
> > doesn't even try to cache it.
> 
> What about
> 

substitute brackets with less than & greater than symbols as appropriate...

(sql:execute-query xmlns:sql="http://apache.org/cocoon/SQL/2.0")
(sql:query) 
SELECT ...
FROM ...
WHERE name = ?
(/sql:query)
(sql:in-parameter nr="1")
(xsl:attribute name="value")(xsl:value-of select="$whatever"/)(/xsl:attribute)
(/sql:in-parameter)
(/sql:execute-query)

> ?  The in-parameter may change, but the query itself doesn't so the prepared statement
ought to cache it.
> 
> Admittedly, as written above you've got to supply the in-parameter value as a map:parameter
to the XSL transformer rather than the SQL transformer, since it's not valid XML to put elements
inside attributes (so 

(sql:in-parameter nr="1" value="(sql:substitute-value name="whatever"/)"/)

>isn't valid).  To work around that, we customised the transformer so that in-parameter
can take either a constant value (in the value attribute) or the name of a supplied parmeter
(in a new "param" attribute) which is substituted in the same fashion as substitute-value.
 That shortens it to
 
(sql:query) 
 SELECT ...
 FROM ...
 WHERE name = ?
(/sql:query)
(sql:in-parameter nr="1" param="whatever"/)
 

Andrew.

_________________________________________________________________
100’s of Music vouchers to be won with MSN Music
https://www.musicmashup.co.uk/index.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org


Mime
View raw message