• 0

Repository - your implementations


Question

The repository pattern seems to be really popular for isolation and testing purposes. I was just curious in a general description how do you guys keep your repositories safe? Because if someone accesses a generic repository that isn't supposed to they could run all kinds of commands on your database. So what types of checks do you implement at the repository level?

 

EDIT: I'm not asking for in-depth examples btw, I know how to do basic authentication/authorization checks I'm just more curious if people are using better methods then what I currently know. I love to research how to improve my programming :)

Link to comment
Share on other sites

13 answers to this question

Recommended Posts

  • 0

What do you mean by "generic repository"? Can you give an example?

Securely performing data access is a fairly big topic. At the very least you should be sanitizing your inputs. A repository object allows you to encapsulate this, so that you can hide the implementation details from people using your code.

Pseudocode example:

 

class Person
{
    public string Forename;
    public string Surname;
    public string DateOfBirth;
}

interface IRepository<T>
{
    void Insert(T item);
}

class PersonRepository : IRepository<Person>
{
    Person FindByName(string forename, string surname)
    {
       // Code to find person, with names sanitized appropriately, or using proper database objects.
    }

    void Insert(Person item)
    {
        // Code to insert person, with person's information sanitized appropriately, or using proper database objects.
    }
}
If you do the code to sanitize the database input inside the repository, your calling code can provide any kind of junk, and the repository should just spit out an error (or escape any risky code before running it).

Example:

 

    PersonRepository repo = new PersonRepository();

    Person p;

    // Try an SQL injec
(I tried to give an example, but I guess the forum blocks it as an SQL injection attempt :rofl:)
Link to comment
Share on other sites

  • 0

 

If you do the code to sanitize the database input inside the repository, your calling code can provide any kind of junk, and the repository should just spit out an error (or escape any risky code before running it).

void Insert(Person item) { }

but.. With this approach, how do you know if the Insert() method was successful, contains warnings or errors?

Link to comment
Share on other sites

  • 0
void Insert(Person item) { }
but.. With this approach, how do you know if the Insert() method was successful, contains warnings or errors?

Off the top of my head, there are two possible approaches.

  • Throw an exception, and wrap the call in a try/catch block. Then if the insert fails at any point, throw the exception and get the caller to handle it. This would probably be my preference because it forces the caller to deal with the exception case.
  • Have a returnable "RepositoryInsertResult" class that describes the state of the repository after the insert. Then the caller can query the result and identify what, if anything, went wrong.
Link to comment
Share on other sites

  • 0

Off the top of my head, there are two possible approaches.

  • Throw an exception, and wrap the call in a try/catch block. Then if the insert fails at any point, throw the exception and get the caller to handle it. This would probably be my preference because it forces the caller to deal with the exception case.
  • Have a returnable "RepositoryInsertResult" class that describes the state of the repository after the insert. Then the caller can query the result and identify what, if anything, went wrong.

 

 

Ok I have heard that try/catch blocks cause some performance hit and I dont want them in my callers, so I use the return class method like this:

public enum MessageType
{
   OK,
   Warning,
   Error
}

public class Message
{
   public string Text { get; set; }
   public MessageType Type { get; set; }
   public void Set(string text, MessageType type) { }
   public void Set(Exception e) { }
}

//In the repository...
public Message Insert(Person item)
{
   //...
}

?

 I use ASP.NET MVC4 btw :)

Link to comment
Share on other sites

  • 0

The preformance hit of try catch is nothing to worry about.  As if the code is done right it shouldn't fail.  Most adapters will throw exceptions anyways so you need to catch them.  As for basic logic, #1.. make sure your db uses proper users/passwords.  You could have a server that runs the queries and have clients that connect and use sessions and request data that way.  You could have tables in the db itself that handle sessions, w/ ip's and accounts.  There are tonnes of different security implementations you could use.

Link to comment
Share on other sites

  • 0

Ok I have heard that try/catch blocks cause some performance hit 

And testing for return codes also causes a performance hit, branches are far from free on modern CPUs. However you handle error conditions, it's going to cost something.

  • Like 2
Link to comment
Share on other sites

  • 0

I was thinking something similar to the evn show when I first saw the question, then I considered a custom repository for a specific program. I use git+gitolite for my source code repository management, but I don't think that is too devious. The latter interpretation of your question I have attempted only once. I implemented a hosted repository in one of my larger programs. I simply hosted zip files in a single directory on a web server on the internal LAN. At first I had the repository location and names of the zips hard-coded into the program, but I eventually allowed the repository URL to be set by the user and hosted a libconfig configuration file that contained metadata about each zip hosted in the repository. It was not a complex implementation, but it worked for my purposes.

Link to comment
Share on other sites

  • 0

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

Link to comment
Share on other sites

  • 0

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

 

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

Link to comment
Share on other sites

  • 0

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

Yeah I was. I just was thinking for an MVC web site if you have a repository pattern (internal of course, not publically accessed), if someone compromises your system what types of security measures do you have in place in case someone finds a way to call MyRepository.DeleteAllData(); // granted, such a silly function wouldn't exist but you get the gist. Thanks for the replies so far guys. I already use sanitation so I'm happy to see I'm doing the same thing most people are doing there. I never trust user input. Seems to be a golden rule, never trust input be valid.

Link to comment
Share on other sites

  • 0

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

 

It's just a common design pattern, people have implemented it in all kinds of languages for several years. I'm not sure who 'invented' the repository pattern but I believe it was popularised in 2002 after being featured in Martin Fowler's "Patterns of Enterprise Application Architecture", that's the first book I remember referencing the repository pattern anyway.

Link to comment
Share on other sites

  • 0

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

It's fairly common term in my experience, but then I was a web dev for 2 years before my current job, so I could be biased. I can't really say I've seen it used out of web dev.

It's an OOP design pattern used to abstract away the implementation of data storage, so that the "Repository" object can be modified (or replaced entirely) without the dependent objects being aware of the changes. An ideal repository could look and act like a standard in-memory container class, providing methods for adding, removing and updating the stored objects.

Link to comment
Share on other sites

This topic is now closed to further replies.