Hi Taras, Taras <ta...@securityaudit.ru> wrote:
> > I know about the id, url and code columns, but they only give you a limited > > way > > of searching. So what are your current plans for the DB interface? Anything > > to > > see in the SVN already? > > Yes, you can svn checkout my (taras) branch and test new version of W3AF > Proxy! > For the current moment is only one way to make full search I see. It's full > text search :( > And I will research WebScarab full text search feature (as I know it's > opensource). Hm, I'm sorry, but I can't see how I can do a full text search with the "Search:" bar. I know I can search in single requests/responses, but what I want to be able is to limit the requests shown with my search, in the same way I can already do with the code, id and url key words. Like "show me only the requests which have a response with the word 'error' in their bodies". > > > At the moment I rewrite DB backend so I can easily make improvements. > > > > Sounds good, tell me more :). > > http://sourceforge.net/mailarchive/forum.php?thread_name=20090817001324.ddc34033.taras%40securityaudit.ru&forum_name=w3af-develop Already saw the post and read it :). Let me give you my 2c about the rewrite: You mention in your post that you want a simple wrapper for sqlite, and you mention the Active Record pattern which makes it easier to access the data in the DB. As far as I can see in your source code, there's still so much manual construction of SQL queries going on, many string concatenations etc. Have you ever considered using an already existing ORM for Python? I know it adds another dependency, but at the moment what I see is the reinvention of the wheel. The whole code with all the string concatenating going on for building the SQL queries just doesn't feel "clean", if you know what I mean. What I'd like to have is a clean ORM to the database (SQLAlchemy[0]? + Elixir[1] maybe?) so there's no need to write your own code interacting with the database. I also would like to save the requests and responses in the database in a way that makes the full, raw data accessible to me for searches. I love the idea of searching in the data with the search bar using SQL syntax. It gives me the power necessary to even do complex searches. So I would like to have unrestricted access to the underlying database with my search. I send the raw SQL query, w3af gets the results from the database and parses them for display in the proxy or results view. Perfect :). I see the following drawbacks with what I described above: - Another dependency for w3af because of the ORM - The ORM may slow down w3af - Storing the requests and responses in an accessible way in the database may mean that we have to rebuild the FuzzableRequest objects everytime we want to use a request from the database. On the other hand, I'm not sure if the current pickling/unpickling is that efficient either, actually. I haven't thought this through completely and the above are only my first ideas. I'm also still not familiar with all of w3af's intricacies, so there might be things I'm just completely missing here. So please tell me what you think and what else might need to be considered. [0] http://www.sqlalchemy.org/ [1] http://elixir.ematia.de/ -- The Plague: You wanted to know who I am, Zero Cool? Well, let me explain the New World Order. Governments and corporations need people like you and me. We are Samurai... the Keyboard Cowboys... and all those other people who have no idea what's going on are the cattle... Moooo. (Hackers) ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
