Patrcik,
I've been catching up with my emails, here are my comments:
On Tue, Aug 18, 2009 at 2:49 PM, Patrick Hof<patrick...@web.de> wrote:
> Hi Taras,
>
> Taras <ta...@securityaudit.ru> wrote:
>
>> > I know about the id, url and code columns, but they only give you a
>> > limited way
>> > of searching. So what are your current plans for the DB interface?
>> > Anything to
>> > see in the SVN already?
>>
>> Yes, you can svn checkout my (taras) branch and test new version of W3AF
>> Proxy!
>> For the current moment is only one way to make full search I see. It's full
>> text search :(
>> And I will research WebScarab full text search feature (as I know it's
>> opensource).
>
> Hm, I'm sorry, but I can't see how I can do a full text search with the
> "Search:" bar. I know I can search in single requests/responses, but what I
> want
> to be able is to limit the requests shown with my search, in the same way I
> can
> already do with the code, id and url key words. Like "show me only the
> requests
> which have a response with the word 'error' in their bodies".
>
>> > > At the moment I rewrite DB backend so I can easily make improvements.
>> >
>> > Sounds good, tell me more :).
>>
>> http://sourceforge.net/mailarchive/forum.php?thread_name=20090817001324.ddc34033.taras%40securityaudit.ru&forum_name=w3af-develop
>
> Already saw the post and read it :). Let me give you my 2c about the rewrite:
>
> You mention in your post that you want a simple wrapper for sqlite, and you
> mention the Active Record pattern which makes it easier to access the data in
> the DB. As far as I can see in your source code, there's still so much manual
> construction of SQL queries going on, many string concatenations etc. Have you
> ever considered using an already existing ORM for Python? I know it adds
> another
> dependency, but at the moment what I see is the reinvention of the wheel. The
> whole code with all the string concatenating going on for building the SQL
> queries just doesn't feel "clean", if you know what I mean.
>
> What I'd like to have is a clean ORM to the database (SQLAlchemy[0]? +
> Elixir[1]
> maybe?) so there's no need to write your own code interacting with the
> database.
> I also would like to save the requests and responses in the database in a way
> that makes the full, raw data accessible to me for searches. I love the idea
> of
> searching in the data with the search bar using SQL syntax. It gives me the
> power necessary to even do complex searches. So I would like to have
> unrestricted access to the underlying database with my search. I send the raw
> SQL query, w3af gets the results from the database and parses them for display
> in the proxy or results view. Perfect :).
>
> I see the following drawbacks with what I described above:
> - Another dependency for w3af because of the ORM
Yes, this is what I tried to avoid while using the manual parsist.py approach.
> - The ORM may slow down w3af
Hmmm, I don't really know how much slower a ORM is... we should test it.
> - Storing the requests and responses in an accessible way in the database may
> mean that we have to rebuild the FuzzableRequest objects everytime we want to
> use a request from the database. On the other hand, I'm not sure if the
> current
> pickling/unpickling is that efficient either, actually.
The unpickling is only performed if the search query (that now is
limited, I know) matches the object. In some cases, they are a lot of
objects that match the "SQL query", in some others you just have a
couple.
> I haven't thought this through completely and the above are only my first
> ideas.
> I'm also still not familiar with all of w3af's intricacies, so there might be
> things I'm just completely missing here. So please tell me what you think and
> what else might need to be considered.
The ORM solution seems the best one, and the flexibility of being able
to write "SQL code" in the search bar was initially the idea, but
after some talks Taras convinced me that an easier and less low-level
approach was needed.
@everybody: What ORM would you recommend? Any experience?
Cheers,
> [0] http://www.sqlalchemy.org/
> [1] http://elixir.ematia.de/
>
> --
> The Plague: You wanted to know who I am, Zero Cool? Well, let me explain
> the New World Order. Governments and corporations need people
> like you and me. We are Samurai... the Keyboard Cowboys... and
> all those other people who have no idea what's going on are
> the cattle... Moooo.
> (Hackers)
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
