db-torque-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henning P. Schmiedehausen" <...@intermeta.de>
Subject Re: Proposal for Automatic text escaping and overflow checking
Date Sat, 01 Oct 2005 09:41:39 GMT
"Greg Monroe" <Greg.Monroe@DukeCE.com> writes:

No. Torque is an O/R layer, not an input value checking device. If you
need this kind of checks, do it in your Controller.

	Best regards
		Henning



>------_=_NextPart_001_01C5C5F8.3391B1D6
>Content-Type: text/plain;
>	charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable

>I've often thought that it would be nice if Torque would automatically
>handle buffer=20
>overflow checking and SQL text escaping.  These are two of the biggest
>"gotcha"=20
>in application vunerablities and take a lot of time coding against (if
>you remember=20
>to do it).

>I was looking at the code and think I have found a relatively easy way
>to handle this=20
>for most of Torque.  But before I start causing unseen problems, I
>thought I'd run=20
>it by everyone for any "gotchas".

>First, it appears that all the common save methods end up going thru the
>BasePeer
>method, insertOrUpdateRecord.  Here is where the objects are converted
>into=20
>Village values prior to be saved.  It seems like the section with:

>if ( obj instanceof String ) {
>    ....
>}

>is the place to do this.

>Checking for length problems is easy using the MapBuilder.vm template
>mod I just=20
>submitted.  With this, the columnMap will have the size to check against
>the String
>length.  If it's too long, the codue would throw a TorqueException  (
>Should there
>be a TorqueException subclass like TorqueFieldOverflowException to
>indicate this=20
>specific error?)

>Making sure that the string being saved has been escaped is a little
>harder.  This
>is because the current version of quoteAndEscapeText is non-repeatable.
>E.g.,
>if you call it twice, you double quote things. There is a lot of
>existing code out there
>that calls this prior to doing a save. =20

>So, in order for, the new automatic escaping to work and not change the
>data value,=20
>the quoteAndEscapeText method needs to be re-written so it's repeatable.
>Not a=20
>big deal, just some pickie checking of the last or next characters
>before something=20
>is changed.  Once that's done, unescaped text will be automatically
>escaped and=20
>pre-escaped text will just be passed thru.

>So, that's it.  Seems simple enough.  Have I missed any "gotchas" or
>other issues=20
>that need to be considered?

>TIA

>Greg

>Greg Monroe    <Monroe@DukeCE.com>    (919)680-5050
>C&IS Solutions Team Lead
>Duke Corporate Education, Inc.
>333 Liggett St.
>Durham, NC 27701



>Duke CE Privacy Statement
>Please be advised that this e-mail and any files transmitted with it are =
>confidential communication or may otherwise be privileged or =
>confidential and are intended solely for the individual or entity to =
>whom they are addressed.  If you are not the intended recipient you may =
>not rely on the contents of this email or any attachments, and we ask =
>that you  please not read, copy or retransmit this communication, but =
>reply to the sender and destroy the email, its contents, and all copies =
>thereof immediately.  Any unauthorized dissemination, distribution or =
>copying of this communication is strictly prohibited.



>------_=_NextPart_001_01C5C5F8.3391B1D6--

-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen          INTERMETA GmbH
hps@intermeta.de        +49 9131 50 654 0   http://www.intermeta.de/

RedHat Certified Engineer -- Jakarta Turbine Development  -- hero for hire
   Linux, Java, perl, Solaris -- Consulting, Training, Development

		      4 - 8 - 15 - 16 - 23 - 42

---------------------------------------------------------------------
To unsubscribe, e-mail: torque-dev-unsubscribe@db.apache.org
For additional commands, e-mail: torque-dev-help@db.apache.org


Mime
View raw message