Well, the title is quite self - explanatory.
Is it possible somehow to inject commands into IBM WMB, or is it injection- safe system?
It's only possible if you have written some really insecure ESQL in the first place.
If you have a compute node which uses the EVAL function then ESQL may be injected however the source of injection is still under control of the ESQL author.
Best practice advice is to avoid the use of this operator altogether.
The other thing that is possible that is not directly ESQL related is the use of the PASSTHRU statement to pass SQL directly to a database. The resulting SQL does not use parameter markers etc so failure to validate the input to the PASSTHRU function could also allow injection on the db.
Best practice is to avoid the use of both the EVAL and PASSTHRU statements altogether.
Related
What is the difference between JPAQuery and JPAQueryFactory?
And, When to use which?
According to the querydsl reference documentation:
Both JPAQuery and HibernateQuery implement the JPQLQuery interface.
For the examples of this chapter the queries are created via a JPAQueryFactory instance. JPAQueryFactory should be the preferred
option to obtain JPAQuery instances.
But, I could not understand clearly.
Can anyone explain it briefly?
What matters is that Hibernates query language (HQL) is a superset of JPA's query language (JPQL). Hibernate also has a special method for result set transformation and being able to iterate over scrollable result sets without the need to keep a reference to all records in memory. In order to take advantage of this extra functionality, the HQLTemplates and the HibernateHandler have to be used. The first is responsible for serializing the additional types of expressions, the second for the integration with Hibernates Query implementation. The HibernateHandler is actually obtained from the HQLTemplates as well, so all that remains is specifying HQLTemplates.
And in fact: a JPAQuery instantiated with HQLTemplates.INSTANCE for the Templates variable, behaves the same as a HibernateQuery. FWIW, if you provide an EntityManager instance with the construction of your JPAQuery, then the appropriate implementation for Templates is deduced for your ORM vendor automatically.
All JPAQueryFactory really is, is a factory method that binds the EntityManager and Templates variables for newly instantiated JPAQueries. This eliminates the need to pass these as a variable individually for each instantiation of a JPAQuery.
There is no need to use the JPAQueryFactory, but it could make your code easier to read. Furthermore, a lot of code examples on the QueryDSL website utilize the query factory, so it might make it easier to use these examples as snippets in your own code.
I have a linq query
Context.Set<Entity>().where(x=>x.condition == true).select(x=> new ViewModel{Property = x.Property});
I would like to be able to make a change to the linq query through something like this
Context.Set<Entity>().ChangeLinqQuery("String").where(x=>x.condition == true).select(x=> new ViewModel{Property = x.Property});
So that when I capture the DbCommandTree in my EFProviderWrapper I will be able to spot the change and capture the String. I also wish to be sure that the expression is applied to that particular reference to the Entity so that if I join the Entity on itself it will still be able to tell that that particular reference to Entity is the one I mean to alter.
The goal is to be able to alter the SQL generated by EF, so if you have a better means of achieving this goal please feel free to provide it.
I don't think this is possible. Your ChangeLinqQuery will have to add some custom expression into expression tree created on behind. The problem is that this expression tree is translated to ESQL - that is what DbCommandTree describes (it is not SQL). As I know ESQL is not extensible and so you cannot add any custom expressions to this process. Even if you could it would also most probably mean that you will have to rewrite much of SQL generation to satisfy your needs = not developing provider wrapper but provider itself.
Your best choice with EF is simply replace table names in generated SQL which will be complex, slow and unless you build strong SQL parser following its syntax it will also be error prone.
Your best choice is simply not using EF as I already recommended in your previous question.
For some important reasons I can't use standard methods provided by ZF to prevent sql injection. I have just wrote that (and I am using it on each POST/GET data from user):
$filter = new Zend_Filter_PregReplace();
$filter->setMatchPattern(array("/[';`]/"))
->setReplacement(array(''));
I am using MySQL database only. Is it enough? Is it secure now?
Never do stuff like this using regular expressions. If you can't use Zend's database methods, use whatever sanitation the database library offers you. For mySQL's procedural wrapper, it would be mysql_real_escape_string(). For PDO, parametrized queries will take care of it automatically. And so on.
That said, I really don't understand why this is necessary in the first place. Why can't you use what the Framework offers? I bet there is a better workaround than doing sanitation on your own.
You really should use sanitization provided by the framework - Zend (PDO, ORM). If you don't there is probably something already going wrong.
There are so many cases to inject malicious code, that to exclude all of them, you will have to find/roll your own some kind of framework to be safe.
I'm currently doing some research on DBIx::Class in order to migrate my current application from Class::DBI. Honestly I'm a bit disappointed about the DBIx::Class when it comes to configuring the result classes, with Class::DBI I could setup metadata on models just by calling the on function without a code generator and so on my question is ... can I the same thing with DBIX::Class also it seems that client-side triggers are not supported in DBIx::Class or i'm not looking at the wrong docs?
Triggers can be implemented by redefining the appropriate method (new/create/update/delete etc) in the Result class, and calling the parent (via $self->next::method()) within it, either before or after your code. Admittedly it's a bit clumsy compared to the before/after triggers in Class::DBI.
As for metadata - are you talking about temporary columns on an object? i.e. data that won't be stored in the database row. These can be added easily using one of the Class::Accessor::* modules on CPAN
One of the hardest changes to make when switching from CDBI to DBIC is to think in terms of ResultSets - often what would have been implemented via a Class method in CDBI becomes a method on a ResultSet - and code may need to be refactored considerably, it's not always a straightforward conversion from one to the other.
I do more and more exercise with Lambda but I do not figure out why sometime example use .AsQueryable(); that use the IQueryable and sometime it omit the .AsQueryable(); and use the IEnumerable.
I have read the MSDN but I do no see how "executing an expression tree" is an advantage over not.
Anyone can explain it to me?
IQueryable implements IEnumerable, so right off the bat, with IQueryable, you can do everything that you can do with IEnumerable. IQueryables deal with converting some lambda expression into query on the underlying data source - this could be a SQL database, or an object set.
Basically, you should usually not have to care one way or the other if it is an IQueryable, or an IEnumerable.
As a user, you generally shouldn't have to care, it's really about the implementor of the data source. If the data providers just implements IEnumerable, you are basically doing LINQ to objects execution, i.e. it's in memory operation on collections. IQueryable provides the data source the capability to translate the expression tree into an alternate representation for execution once the expression is executed (usually by enumeration), which is what Linq2Sql, Linq2Xml and Linq2Entities do.
The only time i can see the end user caring, is if they wish to inspect the Expression tree that would be executed, since IQueryable exposes Expression. Another use might be inspecting the Provider. But both of those scenarios should really be reserved for implementors of other query providers and want to transform the expression. The point of Linq is that you shouldn't have to care about the implementation of expression execution to be used.
I agree with Arne Claassen, there are cases when you need to think about the underlying implmentatoin provided by the data sources. For example check this blog post which shows how the SQL generated by IEnumerable and IQueryable are different in certain scenarios.