You are viewing a plain text version of this content. The canonical link for it is here.
Posted to torque-dev@db.apache.org by "Henning P. Schmiedehausen" <hp...@intermeta.de> on 2005/10/01 11:41:39 UTC
Re: Proposal for Automatic text escaping and overflow checking
"Greg Monroe" <Gr...@DukeCE.com> writes:
No. Torque is an O/R layer, not an input value checking device. If you
need this kind of checks, do it in your Controller.
Best regards
Henning
>------_=_NextPart_001_01C5C5F8.3391B1D6
>Content-Type: text/plain;
> charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable
>I've often thought that it would be nice if Torque would automatically
>handle buffer=20
>overflow checking and SQL text escaping. These are two of the biggest
>"gotcha"=20
>in application vunerablities and take a lot of time coding against (if
>you remember=20
>to do it).
>I was looking at the code and think I have found a relatively easy way
>to handle this=20
>for most of Torque. But before I start causing unseen problems, I
>thought I'd run=20
>it by everyone for any "gotchas".
>First, it appears that all the common save methods end up going thru the
>BasePeer
>method, insertOrUpdateRecord. Here is where the objects are converted
>into=20
>Village values prior to be saved. It seems like the section with:
>if ( obj instanceof String ) {
> ....
>}
>is the place to do this.
>Checking for length problems is easy using the MapBuilder.vm template
>mod I just=20
>submitted. With this, the columnMap will have the size to check against
>the String
>length. If it's too long, the codue would throw a TorqueException (
>Should there
>be a TorqueException subclass like TorqueFieldOverflowException to
>indicate this=20
>specific error?)
>Making sure that the string being saved has been escaped is a little
>harder. This
>is because the current version of quoteAndEscapeText is non-repeatable.
>E.g.,
>if you call it twice, you double quote things. There is a lot of
>existing code out there
>that calls this prior to doing a save. =20
>So, in order for, the new automatic escaping to work and not change the
>data value,=20
>the quoteAndEscapeText method needs to be re-written so it's repeatable.
>Not a=20
>big deal, just some pickie checking of the last or next characters
>before something=20
>is changed. Once that's done, unescaped text will be automatically
>escaped and=20
>pre-escaped text will just be passed thru.
>So, that's it. Seems simple enough. Have I missed any "gotchas" or
>other issues=20
>that need to be considered?
>TIA
>Greg
>Greg Monroe <Mo...@DukeCE.com> (919)680-5050
>C&IS Solutions Team Lead
>Duke Corporate Education, Inc.
>333 Liggett St.
>Durham, NC 27701
>Duke CE Privacy Statement
>Please be advised that this e-mail and any files transmitted with it are =
>confidential communication or may otherwise be privileged or =
>confidential and are intended solely for the individual or entity to =
>whom they are addressed. If you are not the intended recipient you may =
>not rely on the contents of this email or any attachments, and we ask =
>that you please not read, copy or retransmit this communication, but =
>reply to the sender and destroy the email, its contents, and all copies =
>thereof immediately. Any unauthorized dissemination, distribution or =
>copying of this communication is strictly prohibited.
>------_=_NextPart_001_01C5C5F8.3391B1D6--
--
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen INTERMETA GmbH
hps@intermeta.de +49 9131 50 654 0 http://www.intermeta.de/
RedHat Certified Engineer -- Jakarta Turbine Development -- hero for hire
Linux, Java, perl, Solaris -- Consulting, Training, Development
4 - 8 - 15 - 16 - 23 - 42
---------------------------------------------------------------------
To unsubscribe, e-mail: torque-dev-unsubscribe@db.apache.org
For additional commands, e-mail: torque-dev-help@db.apache.org