[prev in list] [next in list] [prev in thread] [next in thread] 

List:       turbine-torque-dev
Subject:    Proposal for Automatic text escaping and overflow checking
From:       "Greg Monroe" <Greg.Monroe () DukeCE ! com>
Date:       2005-09-30 19:50:25
Message-ID: 0EBA2D5D58A98C4AAFBF2ACB6E625A260C190E () dukece-mail2 ! dukece ! com
[Download RAW message or body]


I've often thought that it would be nice if Torque would automatically
handle buffer 
overflow checking and SQL text escaping.  These are two of the biggest
"gotcha" 
in application vunerablities and take a lot of time coding against (if
you remember 
to do it).

I was looking at the code and think I have found a relatively easy way
to handle this 
for most of Torque.  But before I start causing unseen problems, I
thought I'd run 
it by everyone for any "gotchas".

First, it appears that all the common save methods end up going thru the
BasePeer
method, insertOrUpdateRecord.  Here is where the objects are converted
into 
Village values prior to be saved.  It seems like the section with:

if ( obj instanceof String ) {
    ....
}

is the place to do this.

Checking for length problems is easy using the MapBuilder.vm template
mod I just 
submitted.  With this, the columnMap will have the size to check against
the String
length.  If it's too long, the codue would throw a TorqueException  (
Should there
be a TorqueException subclass like TorqueFieldOverflowException to
indicate this 
specific error?)

Making sure that the string being saved has been escaped is a little
harder.  This
is because the current version of quoteAndEscapeText is non-repeatable.
E.g.,
if you call it twice, you double quote things. There is a lot of
existing code out there
that calls this prior to doing a save.  

So, in order for, the new automatic escaping to work and not change the
data value, 
the quoteAndEscapeText method needs to be re-written so it's repeatable.
Not a 
big deal, just some pickie checking of the last or next characters
before something 
is changed.  Once that's done, unescaped text will be automatically
escaped and 
pre-escaped text will just be passed thru.

So, that's it.  Seems simple enough.  Have I missed any "gotchas" or
other issues 
that need to be considered?

TIA

Greg

Greg Monroe    <Monroe@DukeCE.com>    (919)680-5050
C&IS Solutions Team Lead
Duke Corporate Education, Inc.
333 Liggett St.
Durham, NC 27701



Duke CE Privacy Statement
Please be advised that this e-mail and any files transmitted with it are confidential \
communication or may otherwise be privileged or confidential and are intended solely \
for the individual or entity to whom they are addressed.  If you are not the intended \
recipient you may not rely on the contents of this email or any attachments, and we \
ask that you  please not read, copy or retransmit this communication, but reply to \
the sender and destroy the email, its contents, and all copies thereof immediately.  \
Any unauthorized dissemination, distribution or copying of this communication is \
strictly prohibited.



[prev in list] [next in list] [prev in thread] [next in thread]