We are developing a web application in Java/Java EE where users should be able to type in the SQL queries, and should be able to see syntax coloring, table view, content help etc.
Please suggest any third party tools which can be embedded into webpages which does this.
The closest thing I can find is this http://archive.eso.org/wdb/html/wdb.html. I have never used it and it may require an interface implentation for the specific DB you use (see the dev section http://archive.eso.org/wdb/html/doc/WDB/node1.html).
I think the problem is most web front ends specialise in one particular DBMS instead of being agnostic and most are not written in a way that enables components to be dropped into other applications.
The WDB code may give you a starting point on coding this yourself though.
Is there are particulare DBMS that you need to support?
You might have more joy looking into available third party SQL parsers and hooking them up in a web page with AJAX. I would expect any third party library worth it's salt to already try and detect SQL injection but it would be wise to verify that's the case.
Related
Is there built-in way to access databases in Suave?
Suave is a web server library, so it doesn't come with a built-in way to access a database or anything like a sql abstraction.
An option if you're looking for a framework that does have a way to access data built in, Saturn is a fine choice. It's also used as the backend for SAFE-stack if you're interested in full-stack F#.
Under the covers it's relatively simple, the template just lays down a CLI that lets you scaffold out some code and do migrations. And Dapper gets used as your database access library. But it does at least put things together in a template so that you can see how to connect things.
I am new in Yii. I want to know is SQL injection or any hacking possible in the Yii web application? If possible how to avoid that problem?
Yes. Any "hacking" is possible in any web application.
Because no software makes an application safe, but a programmer. Yii is only a tool, but how to use it is entirely up to one who uses it.
So, you have to learn how to use Yii and technology and security basics in general. Without such education that cannot be done by means of asking and answering just one question, one cannot create a safe application.
To make this answer not entirely off topic, as long as you're using Yii ActiveRecord, you can consider your code SQL injection safe, because AR takes the trouble of creating SQL queries for you.
Yeah. It depends to the programmer how he/she use the code, If executed correctly.. Try to read the document of Yii, they show it how to use the code properly and to make it anti sql injection.
Yes. The saying "Security is insecurity." is a big issue in web security.
Everything is hack-able, but it depends on the security of system & performance of the device trying to hack. If the hacker trying to hack a website by a Normal PC may takes Millions of year, but using a Quantum Computer may break within a second.
In case of web application build from Yii PHP Framework, it may also be hack-able. Some how this framework provides strong security measures.
Looking for advice on web development languages/tools for a simple project. I have used HTML to create simple sites before but they were primarily just static information. I have no experience with web scripting, etc. at this point.
Our company has a half dozen or so Transact SQL queries that produce simple text reports from our SQL Server database. I would like to create a simple web type application so that users on our intranet can run these queries themselves vs. asking for what they need.
The queries require minimal input from the user. Typically they would only need to enter a start and stop date or a customer number, or an invoice number.
The application needs to be functional, not especially pretty. I want the user to be asked for the above type input as appropriate and then specify where a file with the reults should be written on their computer.
On other projects I have done some Python programming in conjunction with the SQL Server database, just nothing that interacts with a web site or that has a GUI.
Thank you in advance for your suggestions.
You'll very least need to know a server side language such as PHP or Python to make the queries. Maybe a CGI script?
Most commonly used, I believe, is PHP. It is well-documented and meant for the what you want to do, contrary to Python, which doesn't play as nice with HTML as PHP. As stated on the PHP website, it is quite popular and as such has quite a few tutorials online. After you understand the syntax - you said you have programmed in Python, so only the syntax would be new to you - you should look into how to connect with your SQL Server. Microsoft owns that, so I hope (for them) they explain it well enough: http://technet.microsoft.com/en-us/library/cc793139(v=sql.90).aspx. That should equip you with what is needed for what you describe in the question.
I found this question as well: Can PHP work with a MS SQL database. The accepted answer suggests you can use PDO as well to connect to SQL Server. I recommend PDO over the mssql_ functions, because it offers an object oriented API and and an API that makes prepared statements real easy, among others.
This spec http://www.w3.org/TR/webdatabase/ says:
This document was on the W3C Recommendation track but specification work has stopped. The specification reached an impasse: all interested implementors have used the same SQL backend (Sqlite), but we need multiple independent implementations to proceed along a standardisation path.
Does this mean that HTML5 database is going away, and for some time we will have a de-facto standard using SQLite, possibly with browser differences? Or has the W3C published a plan of attack for finishing the standard?
According to this article:
[...] we think it is worth explaining our design choices, and why we think IndexedDB is a better solution for the web than Web SQL Database.
In another article, we compare IndexedDB with Web SQL Database, and note that the former provides much syntactic simplicity over the latter. IndexedDB leaves room for a third-party JavaScript library to straddle the underlying primitives with a BTree API, and we look forward to seeing initiatives like BrowserCouch built on top of IndexedDB. Intrepid web developers can even build a SQL API on top of IndexedDB. We’d particularly welcome an implementation of the Web SQL Database API on top of IndexedDB, since we think that this is technically feasible. Starting with a SQL-based API for use with browser primitives wasn’t the right first step, but certainly there’s room for SQL-based APIs on top of IndexedDB.
I'm not personally swayed by the arguments put forth in the article, but it seems clear that (for the time being) Mozilla has decided that Web SQL Database is dead.
Further interesting comments about this article may be found on Hacker News.
My understanding is that this is now called "IndexedDB"
http://www.w3.org/TR/IndexedDB/
Apparently the Firefox team has started implementing this:
http://hacks.mozilla.org/2011/01/indexeddb-in-firefox-4/
I don't know if anyone knows the answer. Mozilla doesn't like the dependence upon SQLite and has decided to go a different way. However, all WebKit based browsers already have it implemented and I don't see them removing it as any websites built to take advantage of the spec would be broken.
This means that at least in certain contexts, mostly within the mobile sphere where most browsers have a webkit implementation, it can still makes sense to use the HTML5 Web SQL spec. I see this as especially true for developers who are looking to create mobile applications using a framework like phonegap.
There are some times where as an application developer you want to provide users with access to data even if they aren't connected to the internet or if the connection is slow and some types of data is just more efficiently stored in a database than in a cookie or JSON cashe. For example, if you have data that has relationships it is much easier and quicker to do a join query to pull the data you need than it is to search a json map.
I don't think the spec is dead, and I actually hope that Mozilla will reverse their stance so that developers can use it to solve problems outside of the mobile webkit world.
Our application is interfacing with a lot of web services these days. We have our own package that someone wrote a few years back using UTL_HTTP and it generally works, but needs some hard-coding of the SOAP envelope to work with certain systems. I would like to make it more generic, but lack experience to know how many scenarios I would have to deal with. The variations are in what namespaces need to be declared and the format of the elements. We have to handle both simple calls with a few parameters and those that pass a large amount of data in an encoded string.
I know that 10g has UTL_DBWS, but there are not a huge number of use-cases on-line. Is it stable and flexible enough for general use? Documentation
I have used UTL_HTTP which is simple and works. If you face a challenge with your own package, you can probably find a solution in one of the many wrapper packages around UTL_HTTP on the net (Google "consuming web services from pl/sql", leading you to e.g.
http://www.oracle-base.com/articles/9i/ConsumingWebServices9i.php)
The reason nobody is using UTL_DBWS is that it is not functional in a default installed database. You need to load a ton of Java classes into the database, but the standard instructions seem to be defective - the process spews Java errors right and left and ultimately fails. It seems very few people have been willing to take the time to track down the package dependencies in order to make this approach work.
I had this challenge and found and installed the 'SOAP API' package that Sten suggests on Oracle-Base. It provides some good envelope-creation functionality on top of UTL_HTTP.
However there were some limitations that pertain to your question. SOAP_API assumes all requests are simple XML- i.e. only one layer tag hierarchy.
I extended the SOAP_API package to allow the client code to arbitrarily insert an extra tag. So you can insert a sub-level such as , continue to build the request, and remember to insert a closing tag.
The namespace issue was a bear for the project- different levels of XML had different namespaces.
A nice debugging tool that I used is TCP Trace from Pocket Soap.
www.pocketsoap.com/tcptrace/
You set it up like a proxy and watch the HTTP request and response objects between client and server code.
Having said all that, we really like having a SOAP client in the database- we have full access to all data and existing PLSQL code, can easily loop through cursors and call the external app via SOAP when needed. It was a lot quicker and easier than deploying a middle tier with lots of custom Java or .NET code. Good luck and let me know if you'd like to see my enhanced SOAP API code.
We have also used UTL_HTTP in a manner similar to what you have described. I don't have any direct experience with UTL_DBWS, so I hope you can follow up with any information/experience you can gather.
#kogus, no it's a quite good design for many applications. PL/SQL is a full-fledged programming language that has been used for many big applications.
Check out this older post. I have to agree with that post's #1 answer; it's hard to imagine a scenario where this could be a good design.
Can't you write a service, or standalone application, which would talk to a table in your database? Then you could implement whatever you want as a trigger on that table.