[Seaside] database stuff (was: Avoiding SQL injections with squeak
/ seaside / mysql driver)
Jason Johnson
jbjohns at libsource.com
Fri Oct 20 18:15:27 UTC 2006
Very cool. Is this how the ruby database stuff works? I am tied up
with RecuranceRule right now, and after that a web site. But when I get
those two things done I was considering doing a RoR type thing in
Seaside. Of course it will be "seaside-esque" (i.e. everything is done
in the web, no config files, etc. And styling is done with CSS instead
of hand written template yuckery). So I need to know what database
thing will get me the closest to the ActiveRecord stuff they do (haven't
really looked at it yet).
Also, does your driver have any compiled components? My preference
would be pure smalltalk drivers if possible. But that wish is just
based on the belief that a binary component will mean possibly doing
something to the VM, or at a minimum having to worry about binary
compatibility. If this stuff is completely painless in squeak somehow,
then I guess it wouldn't matter so much.
William Harford wrote:
> Vincent,
>
> My image has String asEscapedSql it may or may not be in your image
> but it is easy to add. Assuming you don't use "s to surround strings
> the following should work.
>
> asEscapedSql
> ^String streamContents: [ :stream |
> self do: [ :char |
> (#($' $\) includes: char)
> ifTrue: [ stream nextPut: char ].
> stream nextPut: char ] ]
>
> Just add that method to your string class and call it when putting
> strings into the database.
>
> It will make ' look like '' and \ look like \\.
>
> If you are interested in object to relational storage for MySQL or
> PostgreSQL have a look at REServe.
>
> http://squeaksource.com/REServe.html
>
> It allows you to store objects in a relational database without ever
> having to deal with SQL. It supports polymorphism, collections,
> Smalltalk enumeration like queering, and some other nice features.
> Currently it is not possible to map existing tables to objects but
> that should not be too difficult to do (it might even work now but I
> have never tried it).
>
> Enjoy
> Will
>
> On Oct 19, 2006, at 12:46 PM, Vincent Girard-Reydet wrote:
>
>> Hello,
>>
>> I hope this is the right place to ask the question.
>> I'm using squeak / seaside and the mysql driver to implement a web
>> site with database support.
>>
>> I wish to avoid SQL injections from user input.
>>
>> Does anyone know if there is something already in Squeak to do this
>> (namely escaping quotes in user input)
>>
>> Thanks a lot.
>>
>> Vincent Girard-Reydet
>> _______________________________________________
>> Seaside mailing list
>> Seaside at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
More information about the Seaside
mailing list