[Registry-dev] Persistence registry - Implementation options
Paul Fremantle
paul at wso2.com
Fri Aug 31 08:34:43 PDT 2007
We will definitely need to cope with SQL injection attacks.
Paul
Afkham Azeez wrote:
> We may have to build SQL queries based on inputs provided to the
> Registry. In such a case, do we have to address issues like SQL
> injection & handling special SQL chars etc. or do we simply ignore those
> for the moment? Or won't these problems occur in the context of the
> registry?
>
> --
> thanks
> Azeez
>
> Sanjaya Karunasena wrote:
>> In my opinion JDBC already has it. Only requirment is to stay away
>> from DB specific feature like ORACLE text search, select quaries with
>> incremental ranges, etc.
>>
>> I will use an ORM when my domain model is very different to relational
>> model or when I have to write complex logic in the data access layer
>> where I ended up hating the JDBC API.
>>
>> /Sanjaya
>>
>> On Friday 31 August 2007, Paul Fremantle wrote:
>>> I agree the Registry DB is pretty damn simple. However, the points Azeez
>>> makes are valid - particularly isolation from a specific database.
>>>
>>> However, if we are willing to test against Oracle, MySQL, and Derby I
>>> think thats a reasonable starting point for the Registry. OTOH if we
>>> start having code like:
>>>
>>> if (Oracle) then /// oracle specific junk here
>>>
>>> then I will be very much in favour of moving to a tool like OpenJPA or
>>> Hibernate.
>>>
>>> Paul
>>>
>>> Sanjaya Karunasena wrote:
>>>> I don't think that the registry need any complex DB schema. Hence I see
>>>> very little value in a ORM for this requirement. Standard SQL is
>>>> powerfull enough to handle lot of complex queries. The required
>>>> abstraction is already there in the JDBC driver if we write the DA
>>>> layer
>>>> carefully.
>>>>
>>>> I am not very excited with hibernate since the hibernate query language
>>>> does not provide the real power of SQL. Yes it provides value if it is
>>>> large application.
>>>>
>>>> Just my view point...
>>>>
>>>> Thanks
>>>> Sanjaya
>>>>
>>>> On Friday 31 August 2007, Afkham Azeez wrote:
>>>>> I strongly feel that we need to use some sort of ORM. These take
>>>>> care of
>>>>> problems with SQL specific to DBMSs, SQL injection attacks, ability to
>>>>> do data manipulation stuff within transactions, escaping special SQL
>>>>> characters etc. If we are to use SQL+JDBC, we will have to handle
>>>>> all of
>>>>> these.
>>>>>
>>>>> One other advantage is that it is very easy to switch between
>>>>> different
>>>>> DBMSs. You need not have different SQL scripts for creation of the DB,
>>>>> Tables etc. e.g. in WSAS, we simply maintain the mapping file. It was
>>>>> very easy to switch from Derby to MySQL, Postgres or any other DB
>>>>> since
>>>>> Hibernate takes care of creating the necessary stuff.
>>>>>
>>>>> Thanks
>>>>> Azeez
>>>>>
>>>>> Sanjiva Weerawarana wrote:
>>>>>> I'm -1 on Hibernate. Let's just do SQL + JDBC .. that'll make it
>>>>>> easier
>>>>>> to do a good search API too.
>>>>>>
>>>>>> We should be storing fairly simple structured info in the database
>>>>>> tables- I really don't see a need to use an ORM tool.
>>>>>>
>>>>>> Sanjiva.
>>>>>>
>>>>>> Chathura C. Ekanayake wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have implemented the persistence registry for the previous
>>>>>>> requirements (i.e. with version control, links, etc.) using
>>>>>>> hibernate.
>>>>>>> But as we are going to
>>>>>>> cut down most of those features in 0.1 release, I have to rewrite
>>>>>>> some
>>>>>>> of the
>>>>>>> code. So it is easier if we finalize on the database
>>>>>>> implementation at
>>>>>>> this
>>>>>>> stage.
>>>>>>>
>>>>>>> We are having following options:
>>>>>>>
>>>>>>> Hibernate
>>>>>>> Plain SQL + JDBC
>>>>>>> Apache iBATIS
>>>>>>>
>>>>>>> As I have already implemented it using hibernate, it is easier to
>>>>>>> modify it to the new requirements, if we continue to use hibernate.
>>>>>>>
>>>>>>> Comments...
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Chathura
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Registry-dev mailing list
>>>>>>> Registry-dev at wso2.org
>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
>>>>> _______________________________________________
>>>>> Registry-dev mailing list
>>>>> Registry-dev at wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
>>>> _______________________________________________
>>>> Registry-dev mailing list
>>>> Registry-dev at wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
>>
>>
>> _______________________________________________
>> Registry-dev mailing list
>> Registry-dev at wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
>>
>
>
--
Paul Fremantle
Co-Founder and VP of Technical Sales, WSO2
OASIS WS-RX TC Co-chair
Office: +1 646 290 8050
Cell: +44 798 447 4618
blog: http://pzf.fremantle.org
paul at wso2.com
"Oxygenating the Web Service Platform", www.wso2.com
More information about the Registry-dev
mailing list