I want to use PostgREST. It looks save my time a lot. I am worried about the security issues. If anybody has ideas for this, it will be so helpful for me.
You don't need to protect PostgREST from sql injection since it sanitises all user input.
We also ran an automated sql injection detection tool against postgrest and it did not detect anything.
If you still feel uneasy, you can use a WAF solution like https://github.com/p0pr0ck5/lua-resty-waf
Related
I started working on a small POC and decided to give Sails.js a try :)
Part of the POC we wanted to use DynamoDB since the project will eventually involve high scalability and we're not looking to hire full-time MongoDB expert at this point.
We used the module: https://github.com/gadelkareem/sails-dynamodb
Problem is there is no documentation and the module does not even work...
It seems the sails ORM is not ideal for DynamoDB and requires writing custom DB services. Does anyone have experience with this?
I was very excited to come across Sails but if it won't let us play nice with DynamoDB then it might very well be out as an option to us....
Anyone have experience with this or maybe something I'm missing?
One of the important plus of vogels is excellent documentation.
Sails-dynamodb adapter based on the vogels, but not all features are implemented in sails-dynamodb adapter. For example, vogels has Expression Filters.
Vogels able to create tables. Adapter can't. An adapter needs duplication table schema in sails files and dynamodb shell.
Vogels has some own types, such as uuid type, StringSet, NumberSet, TimeUUID. (Adapter can use it too, if includes Vogels and Joi lib)
Vogels and adapter have the same query (create, update, delete, find) capabilities.
Adapter allows without changing the code switch to another data base. Adapter encapsulates establishment of connection to database.
Conclusion - for most purposes this adapter is suitable for the work and do not need to work directly with the Vogels
Sails comes loaded with an ORM called "Waterline". There are some official waterline plugins such as mongodb, postgresql, mysql and then there are some unofficial ones created by the community. I'd assume right now that Dynamo is in the latter category since I have not come across it before. However, with that being said I would not take this experience as a reason to ditch Sails.js.
Sails.js is built with the intention that all of its components can be swapped out, this means you are not tied to a specific template engine, authentication libraries etc. and including your ORM choice.
Waterline is still being actively developed but it is sat at v0.12.1 as of writing this response. It isn't fully there yet so there will be the odd issues still around!
My recommendation? Take a look at swapping out waterline for a different ORM. Keep the flexibility Sails gives you and change out the component that doesn't meet your criteria. There are still many benefits to Sails you can utilise.
Vogels might be worth checking out: https://github.com/ryanfitz/vogels
Turning off waterline: Is there a way to disable waterline and use a different ORM in sails.js?
On the side of my Gooddata project, I maintain a small PostgreSQL database that contains a few tables.
I would like to be able to integrate both my ETL processes using the same tool, and it seems to me cloudconnect would be the easiest way, since I already have my whole GoodData ETL in it.
Here are the ways I tried to do it without success:
I tried to have a look in the documentation, and it seems to me that all the functionalities of CloverETL that enabled this (DBOutput, PostGreSQLDataWriter) are not available in Cloudconnect.
I managed to connect to the Agile Datawarehouse Service (Database attached to GoodData), but it seems that only the ADS database is able to understand the request:
COPY MyDataBaseTable (field1,field2) FROM LOCAL '${DATA_TMP_DIR}/CIforADS.csv'
even when I adapt the syntax to PostgreSQL because the dynamic addressing I use here does not seem to work.
Is there any way to proceed that I'm missing? Can anyone think of a workaround?
In general this could be achieved by using of "DBExecute" component, but
I'm not sure if I understand it well - do you want to load data into your own Postgres instance using CloudConnect?
I am new in Azure and I am trying to implement multishard query using Elastic Scale and Entity Framework. Unfortunately I am not able to find any example solutions or good practises to achieve that target. Can anyone help me in this issue? I would be very grateful for some materials to study or hints. Thank you in advance.
Thanks for your question on multi-shard queries with Elastic Scale and EF. Currently, a straight-forward integration like the one you probably saw for data-dependent routing is not available for multi-shard queries. This is an area we are currently investing in, though. Please contact me directly over email at torsteng(at)microsoft(dot)com and we can discuss whether your use case is a good fit and we can get you unblocked.
Thanks,
Torsten
Update for 2015, Having come across similar requirements, I contacted Torsten to see if the situation has changed, kindly he got back to me.
Hi Matt,
If your cross-db querying scenario with EF is limited to read-only access on >the shards, I’d suggest to take a look at Elastic Query for SQL DB – currently >in preview. The best entry points are probably the following documents:
Overview: https://azure.microsoft.com/enus/documentation/articles/sql-database-elastic-query-overview/
Step-by-step tutorial: https://azure.microsoft.com/en-us/documentation/articles/sql-database-elastic-query-getting-started/
With Elastic Query set up, you can point an EF DbContext to the external tables >you have defined using the Elastic Query DDL. That DbContext can then be used >for everything that requires cross-db querying. This is a somewhat intricate >mix between code-first and db-first. But, it should get you off the ground.
The instructions seem simple enough, but do involve setting up another database (at the moment premium) in azure. Hope that helps.
Coming back to the thread since now the sample for using elastic database tools (previously known as Elastic Scale) is now available with EF here.
Hope this helps!
Thanks
Silvia Doomra
I want the way with the fastest execution time. I'm not feeling comfortable of using web service because i need to create separate php pages and retrieve data as xml. If you think its good to use web service please tell me why. I want to code my database queries right on my c/objective c pages.
I've been searching for libraries. I saw this sequel pro - won't i have any problems on using this - like licensing issues? I also saw this libmysqlclient of cocoa but some say its not working well. I've also read about a library developed by Karl Kraft found here http://www.karlkraft.com/index.php/2010/06/02/mysql-and-objective-c/ but don't know if i could trust this.
I would really appreciate you help.
Definitely build a web service to act as an abstraction layer to your database. Here are some significant reasons in my opinion:
Since you want speed, you will be able to add caching when using the webservice, so you will essentially eliminate the need for identical queries to run (sometimes).
If you need to change your data model later, you just have to modify the webservice backend and don't have to update your app.
You can better control security by not exposing the database to the world, and keep it safe behind the web service.
Your database credentials should not be stored in an app. What if you needed to change those?
I strongly suggest a web service. Hope this helps.
Connect to your DB by PHP and output the result as JSON
is much better and faster then xml and less coding if use JSON Framework.
and never never try to connect to your DB from your iphone because it easy to sniff out the request from iphone.
Being safe then Sorry, keep that in mind
I just stumbled on a website vulnerable to an SQL injection attack by mistake ( Is this site vulnerable to an SQL injection attack? ).
That made me curious about what is tried and how often an attack attempt comes by on some website.
So I'm thinking it would be cool to setup a honeypot on my server to see if / how often / using what techniques 'crackers' try to get access to my SQL data.
There are some basic things I can think of to lure them, like:
/login.php / asp url
/adminlogin.php / asp url
A searchform
?id=111 url
with some fake SQL errors when trying to inject some SQL.
Anybody has some more / better suggestion / ideas / whatever to set up a honeypot for SQL injection?
See this article if you want to setup a honey pot, it's got sample data that's injectable.
http://www.webappsec.org/projects/articles/091007.shtml
You can download the installation files here: http://www.webappsec.org/projects/articles/091007.zip
Use an example page that has known vulnerabilities to build your mock up. Most of the drive by injectors and their tools are going to have strings to test for that they know will work on subsets of the vulnerable application space.
For instance:
CVE-2011-1546 details one such vuln on something an attacker is likely to find on google. The CVE repos is full of reports such as that, so you've got plenty of pages to build from as examples.
Once you're done getting your honeypot setup, index it on google. Keep it isolated from anything else, and you've got a rudimentary sql injection honeypot.