PEAK XOOPS - News in englishin japanese

Archive | RSS |
  
Poster : GIJOE on 2006-06-20 13:16:00 (12982 reads)

in englishin japanese
I've found much better anti-XSS system like "Big umbrella".

1. check doubtful request (eg. "<script") in the top of application
2. if such requests exist, push an output filter by ob_start()
3. else no ob_start() are pushed (=performance safe)
4. check registered doubtful-requests exist in the html for outputting
5. if exist, die().

I'll write the code in (2)

0 comments

Poster : GIJOE on 2006-06-06 18:10:55 (17901 reads)

in englishin japanese
Marijuana suggested me "You should compare with IN and INNER JOIN instead of LEFT JOIN".
As his suggestion sounds quite reasonable, I've done benchmark again.

The result
(LEFT JOIN) << (IN) ~ (INNER JOIN)

Thus I still insist "IN than JOIN".
That's because, dividing queries into permission and main makes coding easy.

Read more... | 3238 bytes more |0 comments

Poster : GIJOE on 2006-06-04 04:32:00 (9493 reads)

in englishin japanese
MySQL is one of the fastest Database Engine with simple queries, though it is not so fast on with complex queries.

Thus, we should divide queries simple as possible.

eg) permission system between categories and groups:


CREATE TABLE cat (
  `cid` int NOT NULL default 0,
  `name` varchar(255) NOT NULL default '',
  PRIMARY KEY (cid)
) TYPE=MyISAM ;

CREATE TABLE cat_perm (
  `cid` int NOT NULL default 0,
  `gid` int NOT NULL default 0,
  PRIMARY KEY (cid,gid)
) TYPE=MyISAM ;

CREATE TABLE item (
  `id` int NOT NULL default 0,
  `cid` int NOT NULL default 0,
  `name` varchar(255) NOT NULL default '',
  PRIMARY KEY (id),
  KEY (cid)
) TYPE=MyISAM ;


(1) A complex query using JOIN ...

SELECT item.* FROM item LEFT JOIN cat_perm ON cat_perm.cid=item.cid WHERE cat_perm.gid=1;


(2) two simple queries using IN ...

SELECT cid FROM cat_perm WHERE gid=1;

make cid list from the result, then

SELECT * FROM item WHERE cid IN (cid list);


(2) is faster than (1)

This is a result of just a simple bench mark.
In real, as permission system is more complex than it in real, (2) will be much faster than (1)

IN than JOIN

It sounds a good slogan
------------------------------------
(2006/06/06 added)
Though the result of bench mark is correct, this is not a good comparison.
see also:
http://www.peak.ne.jp/xoops/md/news/article.php?storyid=123


Poster : GIJOE on 2006-05-31 06:08:21 (8751 reads)

in englishin japanese
It is non-sense to check "Time-out error" or "Ticket" error in Wiki editing.
These checks make users much impatience.

The "rerversibility" is the most important to think about "anti-CSRF".

If a web application has a reversibility in editing, it is not necessary to add Ticket nor Referer checking in transaction stage for posting.

Wiki is a well-desinged application from this point of view.

We should design applications with reversibilities as possible.

0 comments

Poster : GIJOE on 2006-05-25 06:34:07 (17918 reads)

in englishin japanese
This is a summary of discussion with ELF about escaping string for SQL.

I recommmend addslashes()

(A) performance
(B) compatibility with environments of magic_quotes_gpc=on
(C) reverse function exists
(D) DB connection free

ELF recommend *_escape_string()

(1) clear the purpose
(2) searchable by grep, replacable by sed, easily
(3) can follow to change DB engine's spec

I think it stands to reason all of (1)(2)(3).

Read more... | 1043 bytes more |2 comments

« 1 2 3 (4) 5 6 »
Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!