You are viewing a plain text version of this content. The canonical link for it is here.
Posted to torque-dev@db.apache.org by Greg Monroe <Gr...@DukeCE.com> on 2005/09/30 21:50:25 UTC

Proposal for Automatic text escaping and overflow checking

I've often thought that it would be nice if Torque would automatically
handle buffer 
overflow checking and SQL text escaping.  These are two of the biggest
"gotcha" 
in application vunerablities and take a lot of time coding against (if
you remember 
to do it).

I was looking at the code and think I have found a relatively easy way
to handle this 
for most of Torque.  But before I start causing unseen problems, I
thought I'd run 
it by everyone for any "gotchas".

First, it appears that all the common save methods end up going thru the
BasePeer
method, insertOrUpdateRecord.  Here is where the objects are converted
into 
Village values prior to be saved.  It seems like the section with:

if ( obj instanceof String ) {
    ....
}

is the place to do this.

Checking for length problems is easy using the MapBuilder.vm template
mod I just 
submitted.  With this, the columnMap will have the size to check against
the String
length.  If it's too long, the codue would throw a TorqueException  (
Should there
be a TorqueException subclass like TorqueFieldOverflowException to
indicate this 
specific error?)

Making sure that the string being saved has been escaped is a little
harder.  This
is because the current version of quoteAndEscapeText is non-repeatable.
E.g.,
if you call it twice, you double quote things. There is a lot of
existing code out there
that calls this prior to doing a save.  

So, in order for, the new automatic escaping to work and not change the
data value, 
the quoteAndEscapeText method needs to be re-written so it's repeatable.
Not a 
big deal, just some pickie checking of the last or next characters
before something 
is changed.  Once that's done, unescaped text will be automatically
escaped and 
pre-escaped text will just be passed thru.

So, that's it.  Seems simple enough.  Have I missed any "gotchas" or
other issues 
that need to be considered?

TIA

Greg

Greg Monroe    <Mo...@DukeCE.com>    (919)680-5050
C&IS Solutions Team Lead
Duke Corporate Education, Inc.
333 Liggett St.
Durham, NC 27701



Duke CE Privacy Statement
Please be advised that this e-mail and any files transmitted with it are confidential communication or may otherwise be privileged or confidential and are intended solely for the individual or entity to whom they are addressed.  If you are not the intended recipient you may not rely on the contents of this email or any attachments, and we ask that you  please not read, copy or retransmit this communication, but reply to the sender and destroy the email, its contents, and all copies thereof immediately.  Any unauthorized dissemination, distribution or copying of this communication is strictly prohibited.

Re: Proposal for Automatic text escaping and overflow checking

Posted by "Henning P. Schmiedehausen" <hp...@intermeta.de>.
"Greg Monroe" <Gr...@DukeCE.com> writes:

No. Torque is an O/R layer, not an input value checking device. If you
need this kind of checks, do it in your Controller.

	Best regards
		Henning



>------_=_NextPart_001_01C5C5F8.3391B1D6
>Content-Type: text/plain;
>	charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable

>I've often thought that it would be nice if Torque would automatically
>handle buffer=20
>overflow checking and SQL text escaping.  These are two of the biggest
>"gotcha"=20
>in application vunerablities and take a lot of time coding against (if
>you remember=20
>to do it).

>I was looking at the code and think I have found a relatively easy way
>to handle this=20
>for most of Torque.  But before I start causing unseen problems, I
>thought I'd run=20
>it by everyone for any "gotchas".

>First, it appears that all the common save methods end up going thru the
>BasePeer
>method, insertOrUpdateRecord.  Here is where the objects are converted
>into=20
>Village values prior to be saved.  It seems like the section with:

>if ( obj instanceof String ) {
>    ....
>}

>is the place to do this.

>Checking for length problems is easy using the MapBuilder.vm template
>mod I just=20
>submitted.  With this, the columnMap will have the size to check against
>the String
>length.  If it's too long, the codue would throw a TorqueException  (
>Should there
>be a TorqueException subclass like TorqueFieldOverflowException to
>indicate this=20
>specific error?)

>Making sure that the string being saved has been escaped is a little
>harder.  This
>is because the current version of quoteAndEscapeText is non-repeatable.
>E.g.,
>if you call it twice, you double quote things. There is a lot of
>existing code out there
>that calls this prior to doing a save. =20

>So, in order for, the new automatic escaping to work and not change the
>data value,=20
>the quoteAndEscapeText method needs to be re-written so it's repeatable.
>Not a=20
>big deal, just some pickie checking of the last or next characters
>before something=20
>is changed.  Once that's done, unescaped text will be automatically
>escaped and=20
>pre-escaped text will just be passed thru.

>So, that's it.  Seems simple enough.  Have I missed any "gotchas" or
>other issues=20
>that need to be considered?

>TIA

>Greg

>Greg Monroe    <Mo...@DukeCE.com>    (919)680-5050
>C&IS Solutions Team Lead
>Duke Corporate Education, Inc.
>333 Liggett St.
>Durham, NC 27701



>Duke CE Privacy Statement
>Please be advised that this e-mail and any files transmitted with it are =
>confidential communication or may otherwise be privileged or =
>confidential and are intended solely for the individual or entity to =
>whom they are addressed.  If you are not the intended recipient you may =
>not rely on the contents of this email or any attachments, and we ask =
>that you  please not read, copy or retransmit this communication, but =
>reply to the sender and destroy the email, its contents, and all copies =
>thereof immediately.  Any unauthorized dissemination, distribution or =
>copying of this communication is strictly prohibited.



>------_=_NextPart_001_01C5C5F8.3391B1D6--

-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen          INTERMETA GmbH
hps@intermeta.de        +49 9131 50 654 0   http://www.intermeta.de/

RedHat Certified Engineer -- Jakarta Turbine Development  -- hero for hire
   Linux, Java, perl, Solaris -- Consulting, Training, Development

		      4 - 8 - 15 - 16 - 23 - 42

---------------------------------------------------------------------
To unsubscribe, e-mail: torque-dev-unsubscribe@db.apache.org
For additional commands, e-mail: torque-dev-help@db.apache.org