Hi Kieran, thanks for your response. The method is used in connection with a Window that provides the possibility to enter and execute (raw) SQL Queries in order to generate Reports based on the returned data (it's some kind of a web based command-line utility like Oracles iSQL*Plus). Hence, the application has to deal with raw SQL urgently (however). But after sleeping on it, i have a few solutions that might work. One would be, using database specific commands like the following for Oracle:
COMMIT; -- induces a new transaction SET TRANSACTION READ ONLY; -- prevents the following statements from making permanent changes [ANY SQL STATEMENT] COMMIT; -- this commit ends the transaction and does not write any changes But since 'rawRowsForSQL' performs a complete transaction and can't handle multiple statements at once, this probably won't work (at least not for Oracle databases). Another solution would be, simply opening a read-only databse connection or connecting to database with a user that has read-only privilegues. This should work in either case and eliminates my security concerns. But i first have to figure out how this is done. Regards Andri von Allmen >>> Kieran Kelleher <[email protected]> Dienstag, 17. März 2009 15:56 >>> Normally we use EOEditingContext and EOFetchSpecification to fetch objects or raw rows. EOUtilities.rawRowsForSQL is really only a "fallback" bare metal utility method when the common EOF stuff does not do the unusual thing you are trying to do. Even then there is other functionality to work with SQL (EOSQLExpression) in an abstract way.... and a lot of functionality in Project Wonder to work more effectively with raw rows. If you are taking raw SQL (which a typical WebObjects developer very rarely, if ever, deals with) from untrusted input and executing it using EOUtilities.rawRowsForSQL, then *you* are Bleeding Obviously creating a security vulnerability in *your* application ;-) What exactly are you trying to accomplish? On Mar 17, 2009, at 10:17 AM, Andri vonAllmen wrote: 'loha Folks, I'm searching for a possibility to prevent the 'NSUtilities.rawRowsForSQL()' method from making changes in the database. For me, it seems to be the wrong way to search for SQL Statements (like ALTER, CREATE, DROP, INSERT, UPDATE, etc.) that may change something before executing the method. Maybe there is a read-only option that Ive missed? Furthermore 'NSUtilities.rawRowsForSQL()' seems like some kind of security vulnerability to me, since it does commit without asking. Any hints or suggestions for ' The School of Bleeding Obvious will be accepted willingly. Regards Andri von Allmen **************************************** CEDES AG Andri von Allmen Software Development Science Park CH-7302 Landquart Switzerland Phone: +41 81 307 26 44 (direct) Phone: +41 81 307 23 23 (Switchboard) Fax: +41 81 307 23 25 E-Mail: [email protected] Internet: www.cedes.com **************************************** _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/kieran_lists%40mac.com This email sent to [email protected]
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
