Re: Prevent 'NSUtilities.rawRowsForSQL()' from making changes in the database

Tue, 17 Mar 2009 07:56:47 -0700

Normally we use EOEditingContext and EOFetchSpecification to fetch objects or raw rows. EOUtilities.rawRowsForSQL is really only a "fallback" bare metal utility method when the common EOF stuff does not do the unusual thing you are trying to do. Even then there is other functionality to work with SQL (EOSQLExpression) in an abstract way.... and a lot of functionality in Project Wonder to work more effectively with raw rows.
If you are taking raw SQL (which a typical WebObjects developer very rarely, if ever, deals with) from untrusted input and executing it using EOUtilities.rawRowsForSQL, then *you* are Bleeding Obviously creating a security vulnerability in *your* application ;-) 

What exactly are you trying to accomplish?

On Mar 17, 2009, at 10:17 AM, Andri vonAllmen wrote:


'loha Folks,


I'm searching for a possibility to prevent the  
'NSUtilities.rawRowsForSQL()' method from making changes in the  
database. For me, it seems to be the wrong way to search for SQL  
Statements (like ALTER, CREATE, DROP, INSERT, UPDATE, etc.) that may  
change something before executing the method. Maybe there is a read- 
only option that Ive missed?



Furthermore 'NSUtilities.rawRowsForSQL()' seems like some kind of  
security vulnerability to me, since it does commit without asking.



Any hints or suggestions for ' The School of Bleeding Obvious will  
be accepted willingly.


Regards

Andri von Allmen



****************************************
CEDES AG
Andri von Allmen
Software Development
Science Park
CH-7302 Landquart
Switzerland

Phone:     +41 81 307 26 44 (direct)
Phone:     +41 81 307 23 23 (Switchboard)
Fax:          +41 81 307 23 25
E-Mail:    [email protected]
Internet:  www.cedes.com
****************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      ([email protected])
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/kieran_lists%40mac.com

This email sent to [email protected]



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      ([email protected])
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to [email protected]





















					Reply via email to