I've been reading up on LINQ lately to start implementing it, and there's a particular thing as to how it generates UPDATE queries that bothers me.
Creating the entities code automatically using SQLMetal or the Object Relational Designer, apparently all fields for all tables will get attribute UpdateCheck.Always, which means that for every UPDATE and DELETE query, i'll get SQL statement like this:
UPDATE table SET a = 'a' WHERE a='x' AND b='x' ... AND z='x', ad infinitum
Now, call me a purist, but this seems EXTREMELY inefficient to me, and it feels like a bad idea anyway, even if it weren't inefficient. I know the fetch will be done by the clustered primary key, so that's not slow, but SQL still needs to check every field after that to make sure it matches.
Granted, in some very sensitive applications something like this can be useful, but for the typical web app (think Stack Overflow), it seems like UpdateCheck.WhenChanged would be a more appropriate default, and I'd personally prefer UpdateCheck.Never, since LINQ will only update the actual fields that changed, not all fields, and in most real cases, the second person editing something wins anyway.
It does mean that if two people manage to edit the same field of the same row in the small time between reading that row and firing the UPDATE, then the conflict that would be found won't be fired. But in reality that's a very rare case. The one thing we may want to guard against when two people change the same thing won't be caught by this, because they won't click Submit at the exact same time anyway, so there will be no conflict at the time the second DataContext reads and updates the record (unless the DataContext is left open and stored in Session when the page is shown, or some other seriously bad idea like that).
However, as rare as the case is, i'd really like to not be getting exceptions in my code every now and then if this happens.
So my first question is, am I wrong in believing this? (again, for "typical" web apps, not for banking applications)
Am I missing some reason why having UpdateCheck.Always as default is a sane idea?
My second question is, can I change this civilizedly? Is there a way to tell SQLMetal or the ORD which UpdateCheck attribute to set?
I'm trying to avoid the situation where I have to remember to run a tool I'll have to make that'll take some regexes and edit all the attributes in the file directly, because it's evident that at some point we'll run SQLMetal after an update to the DB, we won't run this tool, and all our code will break in very subtle ways that we probably won't find while testing in dev.
Any suggestions?
War stories are more than welcome, i'd love to learn from other people's experiences on this.
Thank you very much!
Well, to answer the first question - I agree with you. I'm not a big fan of this "built in" optimistic concurrency, especially if you have timestamp columns or any fields which are not guaranteed to be the same after an update occurs.
To address the second question - I don't know of any way to override SqlMetal's default approach (UpdateCheck = Always), we ended up writing a tool which sets UpdateCheck = Never for appropriate columns. We're using a batch file to call SqlMetal and afterwards running the tool).
Oh, while I think of it - it was also a treat to find that SqlMetal also models relationships to set a foreign key to null instead of "Delete On Null" (for join tables in particular). We had to use the same post-generation tool to set these appropriately too.
Related
I'm converting a Foxpro app and I'm having a bit of trouble with database table referencing/selection. I'm not in a position to run the Foxpro code as I only have code dumps with which to work. If someone could help me understand what is happening here I'd be most grateful. Yes... I searched.
SELECT tblMyTable
Set Filter To Inlist(cbid,123)
SELECT tblMyTable
Does the second Select simply reselect tblMyTable and clear the filter?
If not is a second instance being opened so you have one that’s filtered and one that isn’t?
If so how do I reference each instance since they have no names? Automatically 1 and 2?
Lastly if I’ve got it completely wrong just give me a small clue and I’m on it. Thank you!
I see that you are being misguided.
Second select has no special meaning. That line is not needed at all, but wouldn't do an harm either.
If it were a view, then 'refreshing' a view is done by using Requery(), not by doing another 1 or more selects.
In fact, 'set filter' is on the list of (almost all VFP developers') "never to use commands" , exceptions like this might happen unfortunately.
If you are doing a conversion by only using code dumps and no VFP environment at all, then your task should be extremely hard. I would instead prefer a rewrite from scratch. That would be faster even for seasoned VFP developers.
It's is possible to do a insert on a mapplet without SQL transformation? Like in an expression?
Thanks
The short answer is ‘no’
A mapplet cannot contain a target, it CAN contain a source, which is kind of counter intuitive I suppose :)
You must always have at least one port going out of the mapplet, but as you suggest, it is possible to do ‘writing’ anyway, using a sql-trans.
Personally I prefer not to do so, and let all the writing happen immediately after the mapplet, since the sql trans is rather difficult to debug, and logging metadata in the repository is non-existing.
Is it possible to make a 2.5 component without using TableHelloWorld class and all that field type stuff like from here. Or is it compulsory?
http://docs.joomla.org/Developing_a_Model-View-Controller_Component/2.5/Using_the_database
The system will function without it fairly well actually. All you actually need to get something running is a base file named after your component, a controller.php file, and the view as outlined in this section: http://docs.joomla.org/Developing_a_Model-View-Controller_Component/2.5/Adding_a_view_to_the_site_part
From that you will get something that runs and loads. And if you choose you can just make raw sql queries to the database.
That being said, the framework is there to help you, not to hinder you. I've cut a lot of corners over the years, and almost always you end up regretting it later. Feel free to play around with skipping the pieces, but just remember that there are pieces out there that can help you with all kinds of important things that you may not think you need right now. (Binding input, table row hierarchies, and check-in/check-out functionality are just a few that come to mind that I'm glad I didn't have to make myself.)
I have two tables (just an example): Cars and Colors.
One Car have a Color, so I can't delete the color red if exists a car who is red. Easy.
With ZF1 I could verify easily this dependency before delete a color, by using findDependentRowset() method.
But how can I do this in ZF2?
It's a bad practice if I just let the delete method fail and than grab the exception and print a message?
Thanks!
There is no direct implementation of findDependantRowset() anymore in ZF2. ZF2 went back a step of providing a full ORM and instead simply provided functionality for easier Query-Management.
And exactly this would be your approach. You'd either do two queries Query for CAR then Query Colords for CarColor or you'd do a single query, where you query for both simultaneously. The later one being the faster approach, the first one being pretty much what findDependantRowset() did.
If you want more 'magic'-functionality, you'd be best advised to check out one of the many good ORMs out there. Doctrine 2 for example has a pretty neat ZF2 implementation already and appears to be a community standard as far as ZF2 is concerned. You may want to check out https://github.com/doctrine/DoctrineORMModule
What are the best ways (or at least most common ways) in ASP (VBScript) for input handling? My main concerns are HTML/JavaScript injections & SQL injections. Is there some equivalent to PHP's htmlspecialchars or addslashes, et cetera? Or do I have to do it manually with something like string replace functions?
The bottom line is this:
Always HTML-encode user input before you write it to your page. Server.HTMLEncode() does that for you.
Always use parameterized queries to interface with a database. The ÀDODB.Command and ADODB.CommandParameter objects are the right choice here.
Always use the URLScan utility and IIS lockdown on the IIS server that renders the page, unless they are version 6 and up, which do not require these tools anymore.
If you stick to points 1 and 2 slavishly, I can't think of much that can go wrong.
Most vulnerabilities come from not properly encoding user input or building SQL strings from it. If you for some reason come to the point where HTML-encoding user input stands in your way, you have found a design flaw in your application.
I would add to Tomalaks list one other point.
Avoid using concatenation of field values in SQL code. That is, in some cases a stored procedure may build some SQL in a string to subsequently execute. This is fine unless a textual field value is used as part of its construction.
A command parameter can protect SQL code designed to input a value from being hijacked into executing unwanted SQL but it allows such unwanted SQL to become data in the database. This is a first-level vunerability. A second-level injection vunerability exists if the field's value is then used in some SQL string concatenation inside a stored procedure.
Another consideration is that this is just minimal protection. All its doing is rendering attack attempts harmless. However in many cases it may be better to add to this a system which prevents such data entry altogther and/or alters admins to a potential injection attack.
This is where input validation becomes important. I don't know of any tools that do this for you but a few simple Regular Expressions might help. For example, "<\w+" would detect the attempt to include a HTML tag in the field.