On Wed, Jun 8, 2011 at 7:55 PM, Jeremy Evans <[email protected]> wrote: > On Jun 8, 3:55 pm, Michael Lang <[email protected]> wrote: >> > I would certainly recommend against this approach. If you do it >> > anyway, you'll have to use a Rack middleware that does something like: >> >> Seems more complicated than needs to be...I use Padrino/Sinatra >> fronted by Passenger under Apache 2, which will only execute >> single-threaded anyway (that is one connection per client) and the >> following works for me: >> >> Datacenter.controllers :reports, :parent => :schema do >> before do >> @current_schema = params[:schema_id].to_sym >> use_schema @current_schema >> end >> >> use_schema is just a helper method defined as: >> >> def use_schema(schema) >> DB.execute("use #{schema}") >> end >> >> I have about 30 users concurrently under this approach and there >> hasn't been any issues with schemas getting inadvertently switched. >> Works correctly with AJAX calls, too. > > Two things about your approach: > > 1) It only works for single threaded code, and Sequel is multi- > threaded by default. > Sequel may be multi-threaded by default, but its still self-contained within each process' workspace per each apache/passenger request. Therefore a single application instance per process/worker and thus a single database connection per process/worker handling a single request at a time.
http://www.modrails.com/documentation/Architectural%20overview.html nginx + unicorn or jruby + tomcat may be an entirely different story! > 2) It is vulnerable to denial of service since you are interning a > user defined string. On most Sequel adapters, literalizing symbols > Good point on the injection vector. I actually removed some "guard code" from the posted example as it didn't contribute to the point being illustrated. For what its worth, I compare the schema_id against the list of schemas I already have loaded in memory before passing in to the DB.execute (hence the seemingly unnecessary conversion to a symbol). If the schema passed is invalid, I do a graceful redirect to the list of schemas main page of the web site. This one actually surfaced when I had a user misspell the schema name one day trying to type the whole URL in instead of just going to the main page and navigating. I wasn't even thinking about the SQL injection potential! Michael -- http://codeconnoisseur.org -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/sequel-talk?hl=en.
