Single image persistence, GLORP, and SQL-injection

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Single image persistence, GLORP, and SQL-injection

Peter Kwangjun Suk
Hello,

I've been playing around with a small application in Seaside/Magritte
running on Pharo 1.2.1, Cog VM, on OS X.  I'm primarily interested in
small sites/apps with lightweight persistence.  GLORP would be a good
option though not exactly lightweight, since it is largely transparent
to the application code, but I am concerned about SQL-injection
attacks.  Is there a good, quick guide/library for proofing GLORP
against SQL injection attacks, or is there another lightweight option
for single-image persistence which is also transparent?  I have seen
references to Magma, and I've noted that many say it adds about 30
seconds to image startup.  I have dabbled with SandstoneDB, but find
that there's too much involvement with application code.  I've also
read through the persistence section of the Seaside book, but I find I
still cannot make up my mind.

I would love it if I could just leverage meta-data from Magritte, and
have my objects be magically persistent, with no changes to
application code, and no worries about SQL injection.

Any recommendations?

--Peter

--
There's neither heaven not hell,
save what we grant ourselves.
There's neither fairness nor justice,
save what we grant each other.
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Single image persistence, GLORP, and SQL-injection

sebastianconcept@gmail.co
time to try gemstone?



On Apr 19, 2011, at 1:56 PM, Peter Kwangjun Suk wrote:

> Hello,
>
> I've been playing around with a small application in Seaside/Magritte
> running on Pharo 1.2.1, Cog VM, on OS X.  I'm primarily interested in
> small sites/apps with lightweight persistence.  GLORP would be a good
> option though not exactly lightweight, since it is largely transparent
> to the application code, but I am concerned about SQL-injection
> attacks.  Is there a good, quick guide/library for proofing GLORP
> against SQL injection attacks, or is there another lightweight option
> for single-image persistence which is also transparent?  I have seen
> references to Magma, and I've noted that many say it adds about 30
> seconds to image startup.  I have dabbled with SandstoneDB, but find
> that there's too much involvement with application code.  I've also
> read through the persistence section of the Seaside book, but I find I
> still cannot make up my mind.
>
> I would love it if I could just leverage meta-data from Magritte, and
> have my objects be magically persistent, with no changes to
> application code, and no worries about SQL injection.
>
> Any recommendations?
>
> --Peter
>
> --
> There's neither heaven not hell,
> save what we grant ourselves.
> There's neither fairness nor justice,
> save what we grant each other.
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Single image persistence, GLORP, and SQL-injection

Diogenes Moreira
In reply to this post by Peter Kwangjun Suk
Dont worry about SqlInjection because:

A. You do not have access to the image objects from request. Seaside use the callback registry. 
B. The binding of the fields and properties is automatic, any one can't do something like that  'A and 1=1'.

SQLString is composed by Glorp, but all string are saves for the platforms objects..

Best. 

If you find a way to make SQLInject .. please let me know:)


On Tue, Apr 19, 2011 at 1:56 PM, Peter Kwangjun Suk <[hidden email]> wrote:
Hello,

I've been playing around with a small application in Seaside/Magritte
running on Pharo 1.2.1, Cog VM, on OS X.  I'm primarily interested in
small sites/apps with lightweight persistence.  GLORP would be a good
option though not exactly lightweight, since it is largely transparent
to the application code, but I am concerned about SQL-injection
attacks.  Is there a good, quick guide/library for proofing GLORP
against SQL injection attacks, or is there another lightweight option
for single-image persistence which is also transparent?  I have seen
references to Magma, and I've noted that many say it adds about 30
seconds to image startup.  I have dabbled with SandstoneDB, but find
that there's too much involvement with application code.  I've also
read through the persistence section of the Seaside book, but I find I
still cannot make up my mind.

I would love it if I could just leverage meta-data from Magritte, and
have my objects be magically persistent, with no changes to
application code, and no worries about SQL injection.

Any recommendations?

--Peter

--
There's neither heaven not hell,
save what we grant ourselves.
There's neither fairness nor justice,
save what we grant each other.
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside


_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Single image persistence, GLORP, and SQL-injection

Boris Popov, DeepCove Labs (SNN)
You are only safe from injection with Glorp if your platform and driver support (and have enabled) column binding and you never construct queries by concatenating strings.

Sent from my iPhone

On 2011-04-19, at 13:31, "Diogenes Moreira" <[hidden email]> wrote:

Dont worry about SqlInjection because:

A. You do not have access to the image objects from request. Seaside use the callback registry. 
B. The binding of the fields and properties is automatic, any one can't do something like that  'A and 1=1'.

SQLString is composed by Glorp, but all string are saves for the platforms objects..

Best. 

If you find a way to make SQLInject .. please let me know:)


On Tue, Apr 19, 2011 at 1:56 PM, Peter Kwangjun Suk <[hidden email]> wrote:
Hello,

I've been playing around with a small application in Seaside/Magritte
running on Pharo 1.2.1, Cog VM, on OS X.  I'm primarily interested in
small sites/apps with lightweight persistence.  GLORP would be a good
option though not exactly lightweight, since it is largely transparent
to the application code, but I am concerned about SQL-injection
attacks.  Is there a good, quick guide/library for proofing GLORP
against SQL injection attacks, or is there another lightweight option
for single-image persistence which is also transparent?  I have seen
references to Magma, and I've noted that many say it adds about 30
seconds to image startup.  I have dabbled with SandstoneDB, but find
that there's too much involvement with application code.  I've also
read through the persistence section of the Seaside book, but I find I
still cannot make up my mind.

I would love it if I could just leverage meta-data from Magritte, and
have my objects be magically persistent, with no changes to
application code, and no worries about SQL injection.

Any recommendations?

--Peter

--
There's neither heaven not hell,
save what we grant ourselves.
There's neither fairness nor justice,
save what we grant each other.
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Single image persistence, GLORP, and SQL-injection

Peter Kwangjun Suk
On Tue, Apr 19, 2011 at 12:52 PM, Boris Popov, DeepCove Labs
<[hidden email]> wrote:
> You are only safe from injection with Glorp if your platform and driver
> support (and have enabled) column binding and you never construct queries by
> concatenating strings.

Googling 'GLORP "column binding"' for me only turns up the previous
quoted email message.  Is there a place you can point me to for this
technique?

--Peter

--
There's neither heaven not hell,
save what we grant ourselves.
There's neither fairness nor justice,
save what we grant each other.
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

RE: Single image persistence, GLORP, and SQL-injection

Boris Popov, DeepCove Labs (SNN)
Peter,

DatabasePlatform class>>useBindingByDefault
DatabasePlatform class>>useBindingIfSupported
DatabasePlatform>>supportsBinding
DatabasePlatform>>canBind:to:

I would also Google for "sql parameter binding".

Hope this helps,

-Boris

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Peter
Kwangjun Suk
Sent: 19 April 2011 15:38
To: Seaside - general discussion
Subject: Re: [Seaside] Single image persistence, GLORP, and
SQL-injection

On Tue, Apr 19, 2011 at 12:52 PM, Boris Popov, DeepCove Labs
<[hidden email]> wrote:
> You are only safe from injection with Glorp if your platform and
> driver support (and have enabled) column binding and you never
> construct queries by concatenating strings.

Googling 'GLORP "column binding"' for me only turns up the previous
quoted email message.  Is there a place you can point me to for this
technique?

--Peter

--
There's neither heaven not hell,
save what we grant ourselves.
There's neither fairness nor justice,
save what we grant each other.
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Single image persistence, GLORP, and SQL-injection

Peter Kwangjun Suk
On Tue, Apr 19, 2011 at 2:43 PM, Boris Popov, DeepCove Labs
<[hidden email]> wrote:
> Peter,
>
> DatabasePlatform class>>useBindingByDefault
> DatabasePlatform class>>useBindingIfSupported
> DatabasePlatform>>supportsBinding
> DatabasePlatform>>canBind:to:
>
> I would also Google for "sql parameter binding".

Googling that last one turns up the following, which is very helpful indeed:
http://stackoverflow.com/questions/14934/parameter-binding-what-happens-under-the-hood

--Peter

--
There's neither heaven not hell,
save what we grant ourselves.
There's neither fairness nor justice,
save what we grant each other.
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Single image persistence, GLORP, and SQL-injection

Chris Muller-3
In reply to this post by Peter Kwangjun Suk
> for single-image persistence which is also transparent?  I have seen
> references to Magma, and I've noted that many say it adds about 30
> seconds to image startup.

I don't know where you read that, but it simply isn't true.  Magma has
no bearing at all on image-startup; only what you decide to do or not
do in your image-startup.

There is a lot of misinformation flowing these days...

I'm actually surprised, though, that even if it were true, that it
would be a factor in your selection, since with a server, you deploy
it once and then it just runs... ??
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Single image persistence, GLORP, and SQL-injection

John McKeon
In reply to this post by Peter Kwangjun Suk


On Tue, Apr 19, 2011 at 12:56 PM, Peter Kwangjun Suk <[hidden email]> wrote:

I would love it if I could just leverage meta-data from Magritte, and
have my objects be magically persistent, 

... 

Any recommendations?

If PostgreSQL is acceptable, you can use Magritte-Roe from the "old" Magritte AddOns  repository. 

--John



--Peter

--
There's neither heaven not hell,
save what we grant ourselves.
There's neither fairness nor justice,
save what we grant each other.
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside



--
http://john-mckeon.us

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Single image persistence, GLORP, and SQL-injection

Mariano Martinez Peck
In reply to this post by Chris Muller-3


On Wed, Apr 20, 2011 at 12:04 AM, Chris Muller <[hidden email]> wrote:
> for single-image persistence which is also transparent?  I have seen
> references to Magma, and I've noted that many say it adds about 30
> seconds to image startup.

I don't know where you read that, but it simply isn't true.  Magma has
no bearing at all on image-startup; only what you decide to do or not
do in your image-startup.

There is a lot of misinformation flowing these days...

I'm actually surprised, though, that even if it were true, that it
would be a factor in your selection, since with a server, you deploy
it once and then it just runs... ??

I was thinking about the same. Who cares how much does it take to start the "server".
I remember my old java days, and I promise that starting oracle + IAS or websphere or whatever applciation server + database were MUCH MUCH MUCH more than 30 secs.

Cheers

Mariano


 
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside



--
Mariano
http://marianopeck.wordpress.com


_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Single image persistence, GLORP, and SQL-injection

Peter Kwangjun Suk
On Wed, Apr 20, 2011 at 3:08 AM, Mariano Martinez Peck
<[hidden email]> wrote:
> I was thinking about the same. Who cares how much does it take to start the
> "server".
> I remember my old java days, and I promise that starting oracle + IAS or
> websphere or whatever applciation server + database were MUCH MUCH MUCH more
> than 30 secs.

Ever since I got the SSD, I'm accustomed to everything coming up
instantly nowadays.  I'm also in the habit of running a development
server on my local machine.

If I end up doing more work in Seaside, I'll be looking at Seaside-Roe
and PostgreSQL.

--Peter

--
There's neither heaven not hell,
save what we grant ourselves.
There's neither fairness nor justice,
save what we grant each other.
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside