Single image persistence, GLORP, and SQL-injection
Locked
Single image persistence, GLORP, and SQL-injection
 
|
Hello,
I've been playing around with a small application in Seaside/Magritte running on Pharo 1.2.1, Cog VM, on OS X. I'm primarily interested in small sites/apps with lightweight persistence. GLORP would be a good option though not exactly lightweight, since it is largely transparent to the application code, but I am concerned about SQL-injection attacks. Is there a good, quick guide/library for proofing GLORP against SQL injection attacks, or is there another lightweight option for single-image persistence which is also transparent? I have seen references to Magma, and I've noted that many say it adds about 30 seconds to image startup. I have dabbled with SandstoneDB, but find that there's too much involvement with application code. I've also read through the persistence section of the Seaside book, but I find I still cannot make up my mind. I would love it if I could just leverage meta-data from Magritte, and have my objects be magically persistent, with no changes to application code, and no worries about SQL injection. Any recommendations? --Peter -- There's neither heaven not hell, save what we grant ourselves. There's neither fairness nor justice, save what we grant each other. _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Single image persistence, GLORP, and SQL-injection
|
|
time to try gemstone?
On Apr 19, 2011, at 1:56 PM, Peter Kwangjun Suk wrote: > Hello, > > I've been playing around with a small application in Seaside/Magritte > running on Pharo 1.2.1, Cog VM, on OS X. I'm primarily interested in > small sites/apps with lightweight persistence. GLORP would be a good > option though not exactly lightweight, since it is largely transparent > to the application code, but I am concerned about SQL-injection > attacks. Is there a good, quick guide/library for proofing GLORP > against SQL injection attacks, or is there another lightweight option > for single-image persistence which is also transparent? I have seen > references to Magma, and I've noted that many say it adds about 30 > seconds to image startup. I have dabbled with SandstoneDB, but find > that there's too much involvement with application code. I've also > read through the persistence section of the Seaside book, but I find I > still cannot make up my mind. > > I would love it if I could just leverage meta-data from Magritte, and > have my objects be magically persistent, with no changes to > application code, and no worries about SQL injection. > > Any recommendations? > > --Peter > > -- > There's neither heaven not hell, > save what we grant ourselves. > There's neither fairness nor justice, > save what we grant each other. > _______________________________________________ > seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Single image persistence, GLORP, and SQL-injection
|
|
In reply to this post by Peter Kwangjun Suk
Dont worry about SqlInjection because:
A. You do not have access to the image objects from request. Seaside use the callback registry.
B. The binding of the fields and properties is automatic, any one can't do something like that 'A and 1=1'. SQLString is composed by Glorp, but all string are saves for the platforms objects.. Best. If you find a way to make SQLInject .. please let me know:)
On Tue, Apr 19, 2011 at 1:56 PM, Peter Kwangjun Suk <[hidden email]> wrote: Hello, _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Single image persistence, GLORP, and SQL-injection
|
|
You are only safe from injection with Glorp if your platform and driver support (and have enabled) column binding and you never construct queries by concatenating strings. Sent from my iPhone
_______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Single image persistence, GLORP, and SQL-injection
|
|
On Tue, Apr 19, 2011 at 12:52 PM, Boris Popov, DeepCove Labs
<[hidden email]> wrote: > You are only safe from injection with Glorp if your platform and driver > support (and have enabled) column binding and you never construct queries by > concatenating strings. Googling 'GLORP "column binding"' for me only turns up the previous quoted email message. Is there a place you can point me to for this technique? --Peter -- There's neither heaven not hell, save what we grant ourselves. There's neither fairness nor justice, save what we grant each other. _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
RE: Single image persistence, GLORP, and SQL-injection
|
|
Peter,
DatabasePlatform class>>useBindingByDefault DatabasePlatform class>>useBindingIfSupported DatabasePlatform>>supportsBinding DatabasePlatform>>canBind:to: I would also Google for "sql parameter binding". Hope this helps, -Boris -----Original Message----- From: [hidden email] [mailto:[hidden email]] On Behalf Of Peter Kwangjun Suk Sent: 19 April 2011 15:38 To: Seaside - general discussion Subject: Re: [Seaside] Single image persistence, GLORP, and SQL-injection On Tue, Apr 19, 2011 at 12:52 PM, Boris Popov, DeepCove Labs <[hidden email]> wrote: > You are only safe from injection with Glorp if your platform and > driver support (and have enabled) column binding and you never > construct queries by concatenating strings. Googling 'GLORP "column binding"' for me only turns up the previous quoted email message. Is there a place you can point me to for this technique? --Peter -- There's neither heaven not hell, save what we grant ourselves. There's neither fairness nor justice, save what we grant each other. _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Single image persistence, GLORP, and SQL-injection
|
|
On Tue, Apr 19, 2011 at 2:43 PM, Boris Popov, DeepCove Labs
<[hidden email]> wrote: > Peter, > > DatabasePlatform class>>useBindingByDefault > DatabasePlatform class>>useBindingIfSupported > DatabasePlatform>>supportsBinding > DatabasePlatform>>canBind:to: > > I would also Google for "sql parameter binding". Googling that last one turns up the following, which is very helpful indeed: http://stackoverflow.com/questions/14934/parameter-binding-what-happens-under-the-hood --Peter -- There's neither heaven not hell, save what we grant ourselves. There's neither fairness nor justice, save what we grant each other. _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Single image persistence, GLORP, and SQL-injection
|
|
In reply to this post by Peter Kwangjun Suk
> for single-image persistence which is also transparent? I have seen
> references to Magma, and I've noted that many say it adds about 30 > seconds to image startup. I don't know where you read that, but it simply isn't true. Magma has no bearing at all on image-startup; only what you decide to do or not do in your image-startup. There is a lot of misinformation flowing these days... I'm actually surprised, though, that even if it were true, that it would be a factor in your selection, since with a server, you deploy it once and then it just runs... ?? _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Single image persistence, GLORP, and SQL-injection
|
|
In reply to this post by Peter Kwangjun Suk
On Tue, Apr 19, 2011 at 12:56 PM, Peter Kwangjun Suk <[hidden email]> wrote:
...
If PostgreSQL is acceptable, you can use Magritte-Roe from the "old" Magritte AddOns repository.
--John
-- http://john-mckeon.us _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Single image persistence, GLORP, and SQL-injection
|
|
In reply to this post by Chris Muller-3
On Wed, Apr 20, 2011 at 12:04 AM, Chris Muller <[hidden email]> wrote:
I was thinking about the same. Who cares how much does it take to start the "server". I remember my old java days, and I promise that starting oracle + IAS or websphere or whatever applciation server + database were MUCH MUCH MUCH more than 30 secs. Cheers Mariano
-- Mariano http://marianopeck.wordpress.com _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: Single image persistence, GLORP, and SQL-injection
|
|
On Wed, Apr 20, 2011 at 3:08 AM, Mariano Martinez Peck
<[hidden email]> wrote: > I was thinking about the same. Who cares how much does it take to start the > "server". > I remember my old java days, and I promise that starting oracle + IAS or > websphere or whatever applciation server + database were MUCH MUCH MUCH more > than 30 secs. Ever since I got the SSD, I'm accustomed to everything coming up instantly nowadays. I'm also in the habit of running a development server on my local machine. If I end up doing more work in Seaside, I'll be looking at Seaside-Roe and PostgreSQL. --Peter -- There's neither heaven not hell, save what we grant ourselves. There's neither fairness nor justice, save what we grant each other. _______________________________________________ seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
«
Return to Seaside General
|
1 view|%1 views
| Free forum by Nabble | Edit this page |