<html><body bgcolor="#FFFFFF"><div>You are only safe from injection with Glorp if your platform and driver support (and have enabled) column binding and you never construct queries by concatenating strings.<br><br>Sent from my iPhone</div><div><br>On 2011-04-19, at 13:31, "Diogenes Moreira" <<a href="mailto:diogenes.moreira@gmail.com">diogenes.moreira@gmail.com</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div><meta http-equiv="content-type" content="text/html; charset=utf-8"><span class="hps" title="Click for alternate translations"><div><div><font class="Apple-style-span" face="arial, sans-serif" size="3">Dont worry about SqlInjection because:</font></div>
<div><font class="Apple-style-span" face="arial, sans-serif" size="3"><br></font></div><div><font class="Apple-style-span" face="arial, sans-serif" size="3">A. You do not have access to the image objects from request. Seaside use the callback registry. </font></div>
<div><font class="Apple-style-span" face="arial, sans-serif" size="3">B. The binding of the fields and properties is automatic, any one can't do something like that 'A and 1=1'.</font></div><div><font class="Apple-style-span" face="arial, sans-serif" size="3"><br>
</font></div><div><font class="Apple-style-span" face="arial, sans-serif" size="3">SQLString is composed by Glorp, but all string are saves for the platforms objects..</font></div><div><font class="Apple-style-span" face="arial, sans-serif" size="3"><br>
</font></div><div><font class="Apple-style-span" face="arial, sans-serif" size="3">Best. </font></div></div><div><font class="Apple-style-span" face="arial, sans-serif" size="3"><br></font></div><div><font class="Apple-style-span" face="arial, sans-serif" size="3"><span class="Apple-style-span" style="font-size: 16px; "><span class="hps" title="Click for alternate translations">If you</span> <span class="hps" title="Click for alternate translations">find</span> <span class="hps" title="Click for alternate translations">a way</span> <span class="hps" title="Click for alternate translations">to make</span> <span class="hps" title="Click for alternate translations">SQLInject</span> <span class="hps" title="Click for alternate translations">..</span> <span class="hps" title="Click for alternate translations">please</span> <span class="hps" title="Click for alternate translations">let me know</span><span title="Click for alternate translations" class="">:</span><span title="Click for alternate translations" class="">)</span></span></font></div>
<div><font class="Apple-style-span" face="arial, sans-serif" size="3"><span class="Apple-style-span" style="font-size: 16px; "><span title="Click for alternate translations" class=""><br></span></span></font></div><div><font class="Apple-style-span" face="arial, sans-serif" size="3"><span class="Apple-style-span" style="font-size: 16px; "><span title="Click for alternate translations" class=""><br>
</span></span></font></div></span><div><div class="gmail_quote">On Tue, Apr 19, 2011 at 1:56 PM, Peter Kwangjun Suk <span dir="ltr"><<a href="mailto:peter.kwangjun.suk@gmail.com"><a href="mailto:peter.kwangjun.suk@gmail.com">peter.kwangjun.suk@gmail.com</a></a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hello,<br>
<br>
I've been playing around with a small application in Seaside/Magritte<br>
running on Pharo 1.2.1, Cog VM, on OS X. I'm primarily interested in<br>
small sites/apps with lightweight persistence. GLORP would be a good<br>
option though not exactly lightweight, since it is largely transparent<br>
to the application code, but I am concerned about SQL-injection<br>
attacks. Is there a good, quick guide/library for proofing GLORP<br>
against SQL injection attacks, or is there another lightweight option<br>
for single-image persistence which is also transparent? I have seen<br>
references to Magma, and I've noted that many say it adds about 30<br>
seconds to image startup. I have dabbled with SandstoneDB, but find<br>
that there's too much involvement with application code. I've also<br>
read through the persistence section of the Seaside book, but I find I<br>
still cannot make up my mind.<br>
<br>
I would love it if I could just leverage meta-data from Magritte, and<br>
have my objects be magically persistent, with no changes to<br>
application code, and no worries about SQL injection.<br>
<br>
Any recommendations?<br>
<br>
--Peter<br>
<br>
--<br>
There's neither heaven not hell,<br>
save what we grant ourselves.<br>
There's neither fairness nor justice,<br>
save what we grant each other.<br>
_______________________________________________<br>
seaside mailing list<br>
<a href="mailto:seaside@lists.squeakfoundation.org"><a href="mailto:seaside@lists.squeakfoundation.org">seaside@lists.squeakfoundation.org</a></a><br>
<a href="http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside" target="_blank"><a href="http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside">http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside</a></a><br>
</blockquote></div><br></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>seaside mailing list</span><br><span><a href="mailto:seaside@lists.squeakfoundation.org">seaside@lists.squeakfoundation.org</a></span><br><span><a href="http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside">http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside</a></span><br></div></blockquote></body></html>