db-torque-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Monroe" <Greg.Mon...@DukeCE.com>
Subject RE: Re: Proposal for Automatic text escaping and overflow checking
Date Mon, 03 Oct 2005 13:49:49 GMT
But this is not input checking... this is doing the job of the O/R
layer... 
trying to ensure that the Java representation of Strings maps correctly 
to the SQL input definition of strings.  Java does no have the concept
of 
limited length strings like SQL does.  Java has no concept of special 
characters in strings that need to be delimited like SQL does.  How can 
ensuring that this mapping is done properly NOT be part of the O/R 
layer's responsiblities?

> -----Original Message-----
> From: Henning P. Schmiedehausen [mailto:hps@intermeta.de] 
> Sent: Saturday, October 01, 2005 5:42 AM
> To: torque-dev@db.apache.org
> Subject: Re: Proposal for Automatic text escaping and 
> overflow checking
> 
> 
> "Greg Monroe" <Greg.Monroe@DukeCE.com> writes:
> 
> No. Torque is an O/R layer, not an input value checking 
> device. If you need this kind of checks, do it in your Controller.
> 
> 	Best regards
> 		Henning
> 
> 
> 
> >------_=_NextPart_001_01C5C5F8.3391B1D6
> >Content-Type: text/plain;
> >	charset="us-ascii"
> >Content-Transfer-Encoding: quoted-printable
> 
> >I've often thought that it would be nice if Torque would 
> automatically 
> >handle buffer=20 overflow checking and SQL text escaping.  These are 
> >two of the biggest "gotcha"=20
> >in application vunerablities and take a lot of time coding 
> against (if
> >you remember=20
> >to do it).
> 
> >I was looking at the code and think I have found a 
> relatively easy way 
> >to handle this=20 for most of Torque.  But before I start causing 
> >unseen problems, I thought I'd run=20
> >it by everyone for any "gotchas".
> 
> >First, it appears that all the common save methods end up going thru 
> >the BasePeer method, insertOrUpdateRecord.  Here is where 
> the objects 
> >are converted into=20
> >Village values prior to be saved.  It seems like the section with:
> 
> >if ( obj instanceof String ) {
> >    ....
> >}
> 
> >is the place to do this.
> 
> >Checking for length problems is easy using the MapBuilder.vm 
> template 
> >mod I just=20 submitted.  With this, the columnMap will have 
> the size 
> >to check against the String
> >length.  If it's too long, the codue would throw a TorqueException  (
> >Should there
> >be a TorqueException subclass like TorqueFieldOverflowException to
> >indicate this=20
> >specific error?)
> 
> >Making sure that the string being saved has been escaped is a little 
> >harder.  This is because the current version of 
> quoteAndEscapeText is 
> >non-repeatable. E.g.,
> >if you call it twice, you double quote things. There is a lot of
> >existing code out there
> >that calls this prior to doing a save. =20
> 
> >So, in order for, the new automatic escaping to work and not 
> change the 
> >data value,=20 the quoteAndEscapeText method needs to be 
> re-written so 
> >it's repeatable. Not a=20
> >big deal, just some pickie checking of the last or next characters
> >before something=20
> >is changed.  Once that's done, unescaped text will be automatically
> >escaped and=20
> >pre-escaped text will just be passed thru.
> 
> >So, that's it.  Seems simple enough.  Have I missed any "gotchas" or 
> >other issues=20 that need to be considered?
> 
> >TIA
> 
> >Greg
> 
> >Greg Monroe    <Monroe@DukeCE.com>    (919)680-5050
> >C&IS Solutions Team Lead
> >Duke Corporate Education, Inc.
> >333 Liggett St.
> >Durham, NC 27701
> 
> 
> 
> >Duke CE Privacy Statement
> >Please be advised that this e-mail and any files transmitted with it 
> >are = confidential communication or may otherwise be privileged or = 
> >confidential and are intended solely for the individual or 
> entity to = 
> >whom they are addressed.  If you are not the intended 
> recipient you may 
> >= not rely on the contents of this email or any attachments, 
> and we ask 
> >= that you  please not read, copy or retransmit this 
> communication, but 
> >= reply to the sender and destroy the email, its contents, and all 
> >copies = thereof immediately.  Any unauthorized dissemination, 
> >distribution or = copying of this communication is strictly 
> prohibited.
> 
> 
> 
> >------_=_NextPart_001_01C5C5F8.3391B1D6--
> 
> -- 
> Dipl.-Inf. (Univ.) Henning P. Schmiedehausen          INTERMETA GmbH
> hps@intermeta.de        +49 9131 50 654 0   http://www.intermeta.de/
> 
> RedHat Certified Engineer -- Jakarta Turbine Development  -- 
> hero for hire
>    Linux, Java, perl, Solaris -- Consulting, Training, Development
> 
> 		      4 - 8 - 15 - 16 - 23 - 42
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: torque-dev-unsubscribe@db.apache.org
> For additional commands, e-mail: torque-dev-help@db.apache.org
> 
> 

Duke CE Privacy Statement
Please be advised that this e-mail and any files transmitted with it are confidential communication
or may otherwise be privileged or confidential and are intended solely for the individual
or entity to whom they are addressed.  If you are not the intended recipient you may not rely
on the contents of this email or any attachments, and we ask that you  please not read, copy
or retransmit this communication, but reply to the sender and destroy the email, its contents,
and all copies thereof immediately.  Any unauthorized dissemination, distribution or copying
of this communication is strictly prohibited.



---------------------------------------------------------------------
To unsubscribe, e-mail: torque-dev-unsubscribe@db.apache.org
For additional commands, e-mail: torque-dev-help@db.apache.org


Mime
View raw message