<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="&#1;" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
 /* List Definitions */
 @list l0
        {mso-list-id:505750856;
        mso-list-template-ids:-589905326;}
@list l0:level1
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:.5in;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-size:10.0pt;
        font-family:Symbol;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=WordSection1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I agree with Chris. And this &#8216;rare&#8217; use case is probably why we
haven&#8217;t seen many people clamoring for these encoders. Just use prepared
statements is the right answer in most cases, seriously minimizing the need for
these type of encoders. That said, they are occasionally needed.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><br>
We may want to put this type of warning on the Javadoc for the encoders indicating
why they have been provided and encouraging people to use Prepared statements
normally, and only use these if they are in some extraordinary situation which
requires encoding by hand (and some of our customers have needed to do that).<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>-Dave<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Chris Schmidt
[mailto:chrisisbeef@gmail.com] <br>
<b>Sent:</b> Friday, September 17, 2010 2:53 PM<br>
<b>To:</b> Dave Wichers<br>
<b>Cc:</b> Vasten; owasp-esapi@lists.owasp.org<br>
<b>Subject:</b> Re: [OWASP-ESAPI] Any codec for Sybase?<o:p></o:p></span></p>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal style='margin-bottom:12.0pt'>I just want to clarify the
use-case for the database encoders. It is not common that these should be used
in lieu of a parameterized query, however - there is a business case for them
in situations where you may be running a series of dynamically built statements
that have a large amount of parameters in them. PreparedStatements as they
become more and more complex can actually degrade the performance of a system
in comparison to String concatenation. This is a pretty far out edge case for
most applications, but I have seen applications which process on the order of
10K transactions per minute using PreparedStatements choke. <br>
<br>
To the best of my knowledge this is the only real-world business case for using
the Encoders instead of a PreparedStatement.<br>
<br>
That being said, it seems like this is a good candidate for a collection of
contribs - with Encoding potentially becoming part of the core API
functionality, it would be great to allow additional Encoders to be loaded into
the API *easily* <br>
<br>
<br>
<o:p></o:p></p>

<div>

<p class=MsoNormal>On Fri, Sep 17, 2010 at 11:36 AM, Dave Wichers &lt;<a
href="mailto:dave.wichers@owasp.org">dave.wichers@owasp.org</a>&gt; wrote:<o:p></o:p></p>

<div>

<div>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Not that I know of. We need a number of
database codecs for ESAPI.</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Care to write and contribute one? They
aren&#8217;t that hard at all. I actually saw the code for a Sybase codec but it was
proprietary to my customer so I couldn&#8217;t just grab it and contribute it, but it
was pretty darn simple.</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Anyone out there on the ESAPI lists want
to contribute any database codecs for ESAPI? These would be very small
contributions but very welcomed. In fact, I suspect some of you already have
these codecs lying around in your implementations. And all you&#8217;d have to do is
extract them and get permission to release them to us.</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>I know we need a number of them for
popular databases such as:</span><o:p></o:p></p>

<ul type=disc>
 <li class=MsoNormal style='color:#1F497D;mso-margin-top-alt:auto;mso-margin-bottom-alt:
     auto;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt'>SQL Server
     (Microsoft)</span><o:p></o:p></li>
 <li class=MsoNormal style='color:#1F497D;mso-margin-top-alt:auto;mso-margin-bottom-alt:
     auto;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt'>PostgreSQL
     (Postgres)</span><o:p></o:p></li>
 <li class=MsoNormal style='color:#1F497D;mso-margin-top-alt:auto;mso-margin-bottom-alt:
     auto;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt'>Transact-SQL
     (Sybase)</span><o:p></o:p></li>
 <li class=MsoNormal style='color:#1F497D;mso-margin-top-alt:auto;mso-margin-bottom-alt:
     auto;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt'>DB2 (IBM)</span><o:p></o:p></li>
</ul>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>But there are many others as well.</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>-Dave</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>&nbsp;</span><o:p></o:p></p>

<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color -moz-use-text-color'>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-size:10.0pt'>From:</span></b><span style='font-size:10.0pt'> <a
href="mailto:owasp-esapi-bounces@lists.owasp.org" target="_blank">owasp-esapi-bounces@lists.owasp.org</a>
[mailto:<a href="mailto:owasp-esapi-bounces@lists.owasp.org" target="_blank">owasp-esapi-bounces@lists.owasp.org</a>]
<b>On Behalf Of </b>Vasten<br>
<b>Sent:</b> Thursday, September 16, 2010 9:17 PM<br>
<b>To:</b> <a href="mailto:owasp-esapi@lists.owasp.org" target="_blank">owasp-esapi@lists.owasp.org</a><br>
<b>Subject:</b> [OWASP-ESAPI] Any codec for Sybase?</span><o:p></o:p></p>

</div>

<div>

<div>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi:<br>
I see codecs for Oracle and MySQL, is there one for Sybase?<br>
<br>
Thanks,<br>
keith<o:p></o:p></p>

</div>

</div>

</div>

</div>

<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
OWASP-ESAPI mailing list<br>
<a href="mailto:OWASP-ESAPI@lists.owasp.org">OWASP-ESAPI@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-esapi" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-esapi</a><o:p></o:p></p>

</div>

<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br clear=all>
<br>
-- <br>
Chris Schmidt<br>
<br>
OWASP ESAPI Developer<br>
<a href="http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API">http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API</a><br>
<br>
Check out OWASP ESAPI for Java<br>
<a href="http://code.google.com/p/owasp-esapi-java/">http://code.google.com/p/owasp-esapi-java/</a><br>
<br>
OWASP ESAPI for JavaScript<br>
<a href="http://code.google.com/p/owasp-esapi-js/">http://code.google.com/p/owasp-esapi-js/</a><br>
<br>
Yet Another Developers Blog<br>
<a href="http://yet-another-dev.blogspot.com">http://yet-another-dev.blogspot.com</a><br>
<br>
Bio and Resume<br>
<a href="http://www.digital-ritual.net/resume.html">http://www.digital-ritual.net/resume.html</a><o:p></o:p></p>

</div>

</body>

</html>