• 0

Repository - your implementations


Question

The repository pattern seems to be really popular for isolation and testing purposes. I was just curious in a general description how do you guys keep your repositories safe? Because if someone accesses a generic repository that isn't supposed to they could run all kinds of commands on your database. So what types of checks do you implement at the repository level?

 

EDIT: I'm not asking for in-depth examples btw, I know how to do basic authentication/authorization checks I'm just more curious if people are using better methods then what I currently know. I love to research how to improve my programming :)

Link to comment
https://www.neowin.net/forum/topic/1163292-repository-your-implementations/
Share on other sites

13 answers to this question

Recommended Posts

  • 0

What do you mean by "generic repository"? Can you give an example?

Securely performing data access is a fairly big topic. At the very least you should be sanitizing your inputs. A repository object allows you to encapsulate this, so that you can hide the implementation details from people using your code.

Pseudocode example:

 

class Person
{
    public string Forename;
    public string Surname;
    public string DateOfBirth;
}

interface IRepository<T>
{
    void Insert(T item);
}

class PersonRepository : IRepository<Person>
{
    Person FindByName(string forename, string surname)
    {
       // Code to find person, with names sanitized appropriately, or using proper database objects.
    }

    void Insert(Person item)
    {
        // Code to insert person, with person's information sanitized appropriately, or using proper database objects.
    }
}
If you do the code to sanitize the database input inside the repository, your calling code can provide any kind of junk, and the repository should just spit out an error (or escape any risky code before running it).

Example:

 

    PersonRepository repo = new PersonRepository();

    Person p;

    // Try an SQL injec
(I tried to give an example, but I guess the forum blocks it as an SQL injection attempt :rofl:)
  • 0
  Quote

 

If you do the code to sanitize the database input inside the repository, your calling code can provide any kind of junk, and the repository should just spit out an error (or escape any risky code before running it).

void Insert(Person item) { }

but.. With this approach, how do you know if the Insert() method was successful, contains warnings or errors?

  • 0
  On 07/07/2013 at 22:37, WinRT said:
void Insert(Person item) { }
but.. With this approach, how do you know if the Insert() method was successful, contains warnings or errors?

Off the top of my head, there are two possible approaches.

  • Throw an exception, and wrap the call in a try/catch block. Then if the insert fails at any point, throw the exception and get the caller to handle it. This would probably be my preference because it forces the caller to deal with the exception case.
  • Have a returnable "RepositoryInsertResult" class that describes the state of the repository after the insert. Then the caller can query the result and identify what, if anything, went wrong.
  • 0
  On 07/07/2013 at 22:50, Majesticmerc said:

Off the top of my head, there are two possible approaches.

  • Throw an exception, and wrap the call in a try/catch block. Then if the insert fails at any point, throw the exception and get the caller to handle it. This would probably be my preference because it forces the caller to deal with the exception case.
  • Have a returnable "RepositoryInsertResult" class that describes the state of the repository after the insert. Then the caller can query the result and identify what, if anything, went wrong.

 

 

Ok I have heard that try/catch blocks cause some performance hit and I dont want them in my callers, so I use the return class method like this:

public enum MessageType
{
   OK,
   Warning,
   Error
}

public class Message
{
   public string Text { get; set; }
   public MessageType Type { get; set; }
   public void Set(string text, MessageType type) { }
   public void Set(Exception e) { }
}

//In the repository...
public Message Insert(Person item)
{
   //...
}

?

 I use ASP.NET MVC4 btw :)

  • 0

The preformance hit of try catch is nothing to worry about.  As if the code is done right it shouldn't fail.  Most adapters will throw exceptions anyways so you need to catch them.  As for basic logic, #1.. make sure your db uses proper users/passwords.  You could have a server that runs the queries and have clients that connect and use sessions and request data that way.  You could have tables in the db itself that handle sessions, w/ ip's and accounts.  There are tonnes of different security implementations you could use.

  • 0
  On 07/07/2013 at 23:33, WinRT said:

Ok I have heard that try/catch blocks cause some performance hit 

And testing for return codes also causes a performance hit, branches are far from free on modern CPUs. However you handle error conditions, it's going to cost something.

  • Like 2
  • 0

I was thinking something similar to the evn show when I first saw the question, then I considered a custom repository for a specific program. I use git+gitolite for my source code repository management, but I don't think that is too devious. The latter interpretation of your question I have attempted only once. I implemented a hosted repository in one of my larger programs. I simply hosted zip files in a single directory on a web server on the internal LAN. At first I had the repository location and names of the zips hard-coded into the program, but I eventually allowed the repository URL to be set by the user and hosted a libconfig configuration file that contained metadata about each zip hosted in the repository. It was not a complex implementation, but it worked for my purposes.

  • 0

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

  • 0
  On 08/07/2013 at 23:03, Majesticmerc said:

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

 

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

  • 0
  On 08/07/2013 at 23:03, Majesticmerc said:

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

Yeah I was. I just was thinking for an MVC web site if you have a repository pattern (internal of course, not publically accessed), if someone compromises your system what types of security measures do you have in place in case someone finds a way to call MyRepository.DeleteAllData(); // granted, such a silly function wouldn't exist but you get the gist. Thanks for the replies so far guys. I already use sanitation so I'm happy to see I'm doing the same thing most people are doing there. I never trust user input. Seems to be a golden rule, never trust input be valid.

  • 0
  On 08/07/2013 at 23:10, xorangekiller said:

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

 

It's just a common design pattern, people have implemented it in all kinds of languages for several years. I'm not sure who 'invented' the repository pattern but I believe it was popularised in 2002 after being featured in Martin Fowler's "Patterns of Enterprise Application Architecture", that's the first book I remember referencing the repository pattern anyway.

  • 0
  On 08/07/2013 at 23:10, xorangekiller said:

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

It's fairly common term in my experience, but then I was a web dev for 2 years before my current job, so I could be biased. I can't really say I've seen it used out of web dev.

It's an OOP design pattern used to abstract away the implementation of data storage, so that the "Repository" object can be modified (or replaced entirely) without the dependent objects being aware of the changes. An ideal repository could look and act like a standard in-memory container class, providing methods for adding, removing and updating the stored objects.

This topic is now closed to further replies.
  • Posts

    • "Asus points out the security aspect, that you will lose support and thus there will be no security updates leaving your system exposed" Both Microsoft (for 3 years) and 0patch (for 5 years) offer ongoing security patches for a fee. https://learn.microsoft.com/en...w/extended-security-updates https://blog.0patch.com/2024/0...windows-10-with-0patch.html
    • I won't switch to W11 at home until I absolutely have to. This deadline depends on how long third-party software will be supported on W10 (such as browsers and image viewers and so on). I estimate that migration will be necessary around 2028, when the ESU program expires, but we'll see.
    • "not so intelligent after all" may be the best summary of this whole mess. And yeah, those opt-outs are practically hidden like Easter eggs, if you're lucky enough to even find them.
    • Asus joins Microsoft, AMD, Dell, urges you to "prepare for mandatory Windows 11 upgrade" by Sayan Sen Sometime earlier this year, Microsoft quietly updated the minimum CPU requirements guidance for Windows 11 24H2. Neowin noticed the change this past week as the support document now classifies a family of CPUs from each vendor, AMD, Intel, and Qualcomm, such that users find it easier to make out which processors are capable of being Copilot+ PC certified. Major OEM and hardware manufacturer Asus recently published a couple of blog posts regarding the upcoming Windows 10 end of support. The company says that it is now time to "prepare for the mandatory Windows 11 upgrade" by taking "essential steps." It writes: "With a mandatory Windows update on the horizon, there are essential steps you should take to ensure a smooth upgrade experience. Proper preparation will not only safeguard your files and system but will also allow you to take full advantage of the innovative features Windows 11 has to offer..." If you are on Windows 10 and are wondering why should you even bother upgrading, Asus points out the security aspect, that you will lose support and thus there will be no security updates, leaving your system exposed. The firm is certainly right, there are real dangers out there. For example, the Lumma infostealer impacted over 394,000 PCs worldwide (download this Defender definition for new ISO installations). Even official Windows files and folders can be vulnerable as we saw with the inetpub folder. However, Asus wants you to get excited about Copilot, the new AI assistant that Microsoft has been busy pushing everywhere on its apps and services. Echoing the same sentiment as Microsoft, and others like Dell and AMD, Asus says Copilot is what sets Windows 11 apart from 10 as it writes: "What makes Windows 11 different? One word: Copilot. ... If you’ve ever wished your computer could just “do the thing” you’re trying to describe — Copilot is your new best friend." Asus also says that you will be making the "smart move" by switching to Windows 11 now from 10. In the blog post under a subheading titled "It’s Not Just an Upgrade, It’s a Smart Move." The Taiwanese firm writes, "Upgrading to Windows 11 isn’t just about staying current ― it’s also about staying safe, working smarter, and getting more out of your computer every day." As such, the company also published a guide on how to proceed with the upgrade. Do you agree with Asus? When are you upgrading? Let us know below!
  • Recent Achievements

    • Posting Machine
      Fiza Ali earned a badge
      Posting Machine
    • One Year In
      WaynesWorld earned a badge
      One Year In
    • First Post
      chriskinney317 earned a badge
      First Post
    • Week One Done
      Nullun earned a badge
      Week One Done
    • First Post
      sultangris earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      181
    2. 2
      snowy owl
      130
    3. 3
      ATLien_0
      127
    4. 4
      Xenon
      119
    5. 5
      +Edouard
      91
  • Tell a friend

    Love Neowin? Tell a friend!