[OWASP-ESAPI] Any codec for Sybase?

Dave Wichers dave.wichers at owasp.org
Fri Sep 17 15:19:42 EDT 2010

I agree with Chris. And this 'rare' use case is probably why we haven't seen
many people clamoring for these encoders. Just use prepared statements is
the right answer in most cases, seriously minimizing the need for these type
of encoders. That said, they are occasionally needed.

We may want to put this type of warning on the Javadoc for the encoders
indicating why they have been provided and encouraging people to use
Prepared statements normally, and only use these if they are in some
extraordinary situation which requires encoding by hand (and some of our
customers have needed to do that).




From: Chris Schmidt [mailto:chrisisbeef at gmail.com] 
Sent: Friday, September 17, 2010 2:53 PM
To: Dave Wichers
Cc: Vasten; owasp-esapi at lists.owasp.org
Subject: Re: [OWASP-ESAPI] Any codec for Sybase?


I just want to clarify the use-case for the database encoders. It is not
common that these should be used in lieu of a parameterized query, however -
there is a business case for them in situations where you may be running a
series of dynamically built statements that have a large amount of
parameters in them. PreparedStatements as they become more and more complex
can actually degrade the performance of a system in comparison to String
concatenation. This is a pretty far out edge case for most applications, but
I have seen applications which process on the order of 10K transactions per
minute using PreparedStatements choke. 

To the best of my knowledge this is the only real-world business case for
using the Encoders instead of a PreparedStatement.

That being said, it seems like this is a good candidate for a collection of
contribs - with Encoding potentially becoming part of the core API
functionality, it would be great to allow additional Encoders to be loaded
into the API *easily* 

On Fri, Sep 17, 2010 at 11:36 AM, Dave Wichers <dave.wichers at owasp.org>

Not that I know of. We need a number of database codecs for ESAPI.


Care to write and contribute one? They aren't that hard at all. I actually
saw the code for a Sybase codec but it was proprietary to my customer so I
couldn't just grab it and contribute it, but it was pretty darn simple.


Anyone out there on the ESAPI lists want to contribute any database codecs
for ESAPI? These would be very small contributions but very welcomed. In
fact, I suspect some of you already have these codecs lying around in your
implementations. And all you'd have to do is extract them and get permission
to release them to us.


I know we need a number of them for popular databases such as:

*	SQL Server (Microsoft)
*	PostgreSQL (Postgres)
*	Transact-SQL (Sybase)
*	DB2 (IBM)

But there are many others as well.




From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Vasten
Sent: Thursday, September 16, 2010 9:17 PM
To: owasp-esapi at lists.owasp.org
Subject: [OWASP-ESAPI] Any codec for Sybase?


I see codecs for Oracle and MySQL, is there one for Sybase?


OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org

Chris Schmidt


Check out OWASP ESAPI for Java

OWASP ESAPI for JavaScript

Yet Another Developers Blog

Bio and Resume

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20100917/1acf11b9/attachment-0001.html 

More information about the OWASP-ESAPI mailing list