Response to party a a code review, the original SQL statements directly on ashx or back-end, here the specification of party a are not allowed to appear directly in the code, wanted to think on XML or app. Config or stored procedures, listen to colleagues in the stored procedure is not appropriate? , to ask you is how to do ~, suggest down where the value of how to take it

CodePudding user response:

XML or app. Config can also be regarded as "appear in the code", actually even worse, because it is easier to be replaced to incur injection attacks,
Skill in SQL statements appeared in the back-end code is completely normal and safe practices, perhaps the real requirements of party a is a hierarchical access control,

Public web service layer
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
This layer has no permission to direct contact with SQL, no permission to access data storage,
This layer can only access the application layer, the application layer to provide services, database and storage service

Internal application layer
-- -- -- -- -- -- -- -- -- -- --
The layer from the external completely unable to access, but can provide services to web service layer,
This layer can have SQL, data storage and so on, the SQL in this layer code is no problem,

CodePudding user response:

reference 1st floor github_36000833 response:

XML or app. Config can also be regarded as "appear in the code", actually even worse, because are more likely to be replaced to incur injection attacks,
Skill in SQL statements appeared in the back-end code is completely normal and safe practices, perhaps the real requirements of party a is a hierarchical access control,

Public web service layer
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
This layer has no permission to direct contact with SQL, no permission to access data storage,
This layer can only access the application layer, the application layer to provide services, database and storage service

Internal application layer
-- -- -- -- -- -- -- -- -- -- --
The layer from the external completely unable to access, but can provide services to web service layer,
This layer can have SQL, data storage and so on, the SQL in this layer code is no problem,

Saying is put directly in the backend sonar scan will sweep out,,, , put in the storage process do you think what's the problem?

CodePudding user response:

You can write a dat file, and then have an encrypted data decryption algorithm, the inside of the QQ dat file save user information

CodePudding user response:

refer to the second floor u014480075 response:

... Put a stored procedure, you don't think what's the problem?

Call a stored procedure ListUsers @ NameLike='Harry %'
And
Call SQL Select * from the Users where the Name like 'Harray %'
There are essentially the difference?

CodePudding user response:

This is similar to the interface now, background processing front-end sending a data request, the background reading the database, processing good data structure (usually add JOSN) and then returned to the front, front end processing show again,

CodePudding user response:

No difference, written in XML, he said why you just do it at first sight, it is not necessary to get other ha

CodePudding user response:

Then listen to him not put in the code,
In a stored procedure,
As for in XML, the config, I am very don't agree with,

CodePudding user response:

Put in a stored procedure, has certain advantages, but the maintenance more troublesome,

Advantage is that a lot of problems, you can directly modify the stored procedure to change the logic,
Don't need to release, for large projects, this has certain advantages, but the micro service, ha ha,)

On the downside, maintain more troublesome, and logic in SQL, always implement smoothly in no code,
And the name of the stored procedure, must have the strict specification,

CodePudding user response:

references on 7th floor is wrath of god reply:

then listen to him not put in the code,
In a stored procedure,
As for in XML, the config, I am very don't agree with,

Where is wrong in XML or config? To understand the

CodePudding user response:

references 9 f u014480075 response:

Quote: refer to 7th floor is nu month god reply:

Then listen to him not put in the code,
In a stored procedure,
As for in XML, the config, I am very don't agree with,

Where is wrong in XML or config? See

Very unsafe,

CodePudding user response:

Do?? Cheat ghost just

Sqlprofile I can see I want to see

So long as computer security, rather than the code security,

Now that I can see your config, I can't see connstr? I can't use SQL sqlprofile see??

CodePudding user response:

Were not put in the XML, ibatis, once very popular, put in the XML is good is bad, good is flexibility, harm I think separation is a business and code, the code is bad to read,

CodePudding user response:

refer to 12 floor of the knights templar 18 reply:

put XML, is it not ibatis, once very popular, put in the XML is good is bad, good is flexibility, harm I think separation is a business and code, the code is bad to read,

Ali is ibatis team, it has the advantage of flexibility, convenience of performance tuning,
Many times choose technology is not a simple technology, but because the organization needs to select technology, ali large business volume, can make the database performance increase 1% of them are not, have any SQL low performance, can jam the business process, so each SQL must high precision tuning, requires a senior DBA this post, the DBA this job how embedded in the whole development process and mixing together with the backend development (work process of decoupling)? Ibatis provides the plan,

CodePudding user response:

Ibatis as a solution, there are ways to avoid SQL injection this kind of question,
For the said SQL exposure, this actually is not important, unless you server was breached, otherwise no one can steal your SQL,