|
Hi Kieran, thanks for your response.
The method is used in connection with a Window that provides the possibility to enter and execute (raw) SQL Queries in order to generate Reports based on the returned data (it's some kind of a web based command-line utility like Oracles iSQL*Plus).
Hence, the application has to deal with raw SQL urgently (however).
But after sleeping on it, i have a few solutions that might work.
One would be, using database specific commands like the following for Oracle:
COMMIT; -- induces a new transaction
SET TRANSACTION READ ONLY; -- prevents the following statements from making permanent changes
[ANY SQL STATEMENT]
COMMIT; -- this commit ends the transaction and does not write any changes
But since 'rawRowsForSQL' performs a complete transaction and can't handle multiple statements at once, this probably won't work (at least not for Oracle databases).
Another solution would be, simply opening a read-only databse connection or connecting to database with a user that has read-only privilegues. This should work in either case and eliminates my security concerns. But i first have to figure out how this is done.
Regards
Andri von Allmen
>>> Kieran Kelleher <email@hidden> Dienstag, 17. März 2009 15:56 >>>
Normally we use EOEditingContext and EOFetchSpecification to fetch objects or raw rows. EOUtilities.rawRowsForSQL is really only a "fallback" bare metal utility method when the common EOF stuff does not do the unusual thing you are trying to do. Even then there is other functionality to work with SQL (EOSQLExpression) in an abstract way.... and a lot of functionality in Project Wonder to work more effectively with raw rows.
If you are taking raw SQL (which a typical WebObjects developer very rarely, if ever, deals with) from untrusted input and executing it using EOUtilities.rawRowsForSQL, then *you* are Bleeding Obviously creating a security vulnerability in *your* application ;-)
What exactly are you trying to accomplish?
On Mar 17, 2009, at 10:17 AM, Andri vonAllmen wrote:
'loha Folks,
I'm searching for a possibility to prevent the 'NSUtilities.rawRowsForSQL()' method from making changes in the database. For me, it seems to be the wrong way to search for SQL Statements (like ALTER, CREATE, DROP, INSERT, UPDATE, etc.) that may change something before executing the method. Maybe there is a read-only option that Ive missed?
Furthermore 'NSUtilities.rawRowsForSQL()' seems like some kind of security vulnerability to me, since it does commit without asking.
Any hints or suggestions for ' The School of Bleeding Obvious will be accepted willingly.
Regards
Andri von Allmen
|