I write server application in Symfony2 framework using Doctrine2 ORM. Now I need to secure my database from SQL injection. I read about this a little bit and I know that doctrine2 prepared statements can prevent my app from SQL injection attack. But is this secure me in 100%? Is there really no possibility to attack my server app? If there is any way, how can I defence from it?
When you keep using Doctrine everywhere, all your statements will be secured via Doctrine.
I think noone can answer with: "There is a 100% security".
But when there is a known security issue which relates to Doctrine I am pretty sure it will be fixed soon, because there are many users working with it and many developers contributing to it.
Related
I recently started delving in to zend expressive. I know zend makes use of zend db typically. In my project I am developing microservices and was wondering what the opinion is about using doctrine with regards to microservices in zend expressive. Any thoughts or opinions would be appreciated.
There's no general rule forbidding Doctrine in an Expressive project. I'm finishing up such a project this week (a full line-of-business app, not a microservice), and it's gone very well. If doctrine fits for you model, there's no reason to eschew it just because you're writing a small app.
You can use Doctrine with any PHP framework including Zend Expressive. The question you should ask yourself is do you really need Doctrine? If you have to create an application with complex domain logic, then Doctrine is exactly what you looking for. Also, you can use Table and Row Gateways to map your database tables or rows and to interact with your database in a object oriented way. Personally, I would not recommend using Doctrine for small applications with no, or very simple business logic.
Ive been making a site in django and thinking about using some of the apps available online for things like wiki or forum. I was wondering what the drawbacks were. Are those apps likely to be less secure that using something like vbulletin or mediawiki instead?
In general is django pretty secure to begin with? I know almost nothing about security so I find myself wondering sometimes.
vBulletin and MediaWiki are pretty insecure apps. I think typical django app is much more secure than these two :-)
Django by default prevents many security mistakes (SQL injection, xss, csrf) so developer should make an effort to create insecure app.
I'm using Geonames.org for textbox auto-complete. Very neat feature.
They provide both the database and a REST endpoint, something like this: http://api.geonames.org/postalCodeLookupJSON?postalcode=6600&country=AT&username=demo
However, as per the requirement (decrease auto-complete latency, eliminate external resource dependency) I wish to host the database on my server. Geonames provides the database for export, which is nice. However, then I'm facing a task of writing my own REST service solution for accessing my database with imported geo data.
At the same time, I don't think I'm the only person facing an issue like this, so I was wondering what your takes on this are? What's the fastest, the best solution would be in this situation? Is it really necessary to write a REST service from scratch? Or is there a library for that, and I just can't find it?
Environment: ASP.NET (but it's probably going to be a separate web-application anyways, so I'm open to other offerings such as Node.js, Ruby on Rails - whatever will be the least development time).
I am working on creating a dashboard which would access Redmine project data. This dashboard will be a consolidation of project data (delivery date, manager, start date, total issues, open issues, closed issues, bug count etc.) for all projects in the Redmine database.
Any ideas on how to do this? An SQL query to achieve this would be a good start. I have Redmine setup on my local system and can access the Redmine database.
I plan on creating an HTML5 .Net based web application. Once I figure out the queries to be used, I would write an IIS (or REST) service to fetch the desired data from the Redmine production database.
Any help/pointers would be deeply appreciated.
Regards,
Pranjal
You have basically three options:
use the REST API
develop a redmine plug-in
do some custom SQL stuff
REST API
The best you could do is to use the redmine REST API. Using it, you can fetch the data directly from redmine without any SQL queries or manipulating the server. It should even work when the redmine server is updated.
Redmine Plug-in
The next best thing is probably to develop a redmine plug-in. Your plug-in can access redmine classes (Project, User, etc.). For example, you could do something like Projects.all.map {|p| [p.id, p.identifier]} to get the id and identifier of all projects in an array. This approach is way more powerful than using the REST API, but you have to modify the redmine server (install and maintain your plug-in). A plug-in is probably more fragile when redmine changes internal structures, than the REST API.
Custom SQL stuff
I do not recommend developing custom SQL solutions, but it is an option. Such a solution is harder to develop, more fragile, harder to set up, but might offer better performance.
You can see the the redmine database structure listed in db/schema.rb. Having the right schema, you could develop your custom SQL queries and return them to your dashboard.
Think about security
Apart from the usual security stuff (which you should consider too :)), remember that redmine has a rich permission system. Consider which object you make (publicly) available. This is most important for the last two options. When using the plug-in approach, you should have a look at the User#allowed_to method.
With the little information I have about your requirements, I have the feeling that you should go for the REST API.
Me and some friends are going to develop a web site with playframework and a mobile application (android and iphone). So we need to make some webservices for the mobile application(CRUD). So we thought about using this web services in our playframework application instead of wasting time and creating the CRUD with anorm(writing all the sql requests).
Well, I'm here to ask for your opinion. Is this a good thing to do ? What's the best advised method here ?
Thank you.
PS: the web services are automatically generated with Netbeans from our database.
There are various reasons why I would advice against this approach.
A general design rule is not to expose your internal data model to the user. This rule comes in many flavors in which the layered architecture is probably the most known one.
In detail there will be issues like:
Tuning performance: This is hard to achieve because your have no, or not much control over the generated web services. When your application is really taking of your will suffer from this limitation
Access the service: I don't know whether you generate RESTful web services or WS-* ones. The latter will get you in trouble when accessing them via iphone.
Design Play vs. synchronous web services: Also somehow related to performance is the issue that the generated service is likely synchronous, blocking, which does not fit well with the non-blocking approach which the play framework is taking.
Abstraction level: Because your database is based on sets but your business model is likely not, you will have issues developing a decent client, tuning the performance, doing proper validation, security, etc.
Authentication, authorization and accounting: Hard to do because the database only knows the db system users
Change: What if you change your database model? Will the generated services continue to work? Do your have do adopt them event if you just add a column?
...
Some of those reasons do overlap, but I think the general problem should be clear.
Instead of this approach I would recommend the following. Develop a RESTfull endpoint for your app, which is not that hard to to. This is the external contract against which the clients should be developing. play-mini for example has a very need, Unfiltered based, API to do this. While doing this, focus on the operations your app really needs. CRUD in general is a bad model when thinking about production ready software.
How you access your database is another decision your have to make but probably it is not that important because it is not your external contract so your can change it when your have the need for doing so.