• 0

Repository - your implementations


Question

The repository pattern seems to be really popular for isolation and testing purposes. I was just curious in a general description how do you guys keep your repositories safe? Because if someone accesses a generic repository that isn't supposed to they could run all kinds of commands on your database. So what types of checks do you implement at the repository level?

 

EDIT: I'm not asking for in-depth examples btw, I know how to do basic authentication/authorization checks I'm just more curious if people are using better methods then what I currently know. I love to research how to improve my programming :)

Link to comment
https://www.neowin.net/forum/topic/1163292-repository-your-implementations/
Share on other sites

13 answers to this question

Recommended Posts

  • 0

What do you mean by "generic repository"? Can you give an example?

Securely performing data access is a fairly big topic. At the very least you should be sanitizing your inputs. A repository object allows you to encapsulate this, so that you can hide the implementation details from people using your code.

Pseudocode example:

 

class Person
{
    public string Forename;
    public string Surname;
    public string DateOfBirth;
}

interface IRepository<T>
{
    void Insert(T item);
}

class PersonRepository : IRepository<Person>
{
    Person FindByName(string forename, string surname)
    {
       // Code to find person, with names sanitized appropriately, or using proper database objects.
    }

    void Insert(Person item)
    {
        // Code to insert person, with person's information sanitized appropriately, or using proper database objects.
    }
}
If you do the code to sanitize the database input inside the repository, your calling code can provide any kind of junk, and the repository should just spit out an error (or escape any risky code before running it).

Example:

 

    PersonRepository repo = new PersonRepository();

    Person p;

    // Try an SQL injec
(I tried to give an example, but I guess the forum blocks it as an SQL injection attempt :rofl:)
  • 0
  Quote

 

If you do the code to sanitize the database input inside the repository, your calling code can provide any kind of junk, and the repository should just spit out an error (or escape any risky code before running it).

void Insert(Person item) { }

but.. With this approach, how do you know if the Insert() method was successful, contains warnings or errors?

  • 0
  On 07/07/2013 at 22:37, WinRT said:
void Insert(Person item) { }
but.. With this approach, how do you know if the Insert() method was successful, contains warnings or errors?

Off the top of my head, there are two possible approaches.

  • Throw an exception, and wrap the call in a try/catch block. Then if the insert fails at any point, throw the exception and get the caller to handle it. This would probably be my preference because it forces the caller to deal with the exception case.
  • Have a returnable "RepositoryInsertResult" class that describes the state of the repository after the insert. Then the caller can query the result and identify what, if anything, went wrong.
  • 0
  On 07/07/2013 at 22:50, Majesticmerc said:

Off the top of my head, there are two possible approaches.

  • Throw an exception, and wrap the call in a try/catch block. Then if the insert fails at any point, throw the exception and get the caller to handle it. This would probably be my preference because it forces the caller to deal with the exception case.
  • Have a returnable "RepositoryInsertResult" class that describes the state of the repository after the insert. Then the caller can query the result and identify what, if anything, went wrong.

 

 

Ok I have heard that try/catch blocks cause some performance hit and I dont want them in my callers, so I use the return class method like this:

public enum MessageType
{
   OK,
   Warning,
   Error
}

public class Message
{
   public string Text { get; set; }
   public MessageType Type { get; set; }
   public void Set(string text, MessageType type) { }
   public void Set(Exception e) { }
}

//In the repository...
public Message Insert(Person item)
{
   //...
}

?

 I use ASP.NET MVC4 btw :)

  • 0

The preformance hit of try catch is nothing to worry about.  As if the code is done right it shouldn't fail.  Most adapters will throw exceptions anyways so you need to catch them.  As for basic logic, #1.. make sure your db uses proper users/passwords.  You could have a server that runs the queries and have clients that connect and use sessions and request data that way.  You could have tables in the db itself that handle sessions, w/ ip's and accounts.  There are tonnes of different security implementations you could use.

  • 0
  On 07/07/2013 at 23:33, WinRT said:

Ok I have heard that try/catch blocks cause some performance hit 

And testing for return codes also causes a performance hit, branches are far from free on modern CPUs. However you handle error conditions, it's going to cost something.

  • Like 2
  • 0

I was thinking something similar to the evn show when I first saw the question, then I considered a custom repository for a specific program. I use git+gitolite for my source code repository management, but I don't think that is too devious. The latter interpretation of your question I have attempted only once. I implemented a hosted repository in one of my larger programs. I simply hosted zip files in a single directory on a web server on the internal LAN. At first I had the repository location and names of the zips hard-coded into the program, but I eventually allowed the repository URL to be set by the user and hosted a libconfig configuration file that contained metadata about each zip hosted in the repository. It was not a complex implementation, but it worked for my purposes.

  • 0

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

  • 0
  On 08/07/2013 at 23:03, Majesticmerc said:

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

 

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

  • 0
  On 08/07/2013 at 23:03, Majesticmerc said:

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

Yeah I was. I just was thinking for an MVC web site if you have a repository pattern (internal of course, not publically accessed), if someone compromises your system what types of security measures do you have in place in case someone finds a way to call MyRepository.DeleteAllData(); // granted, such a silly function wouldn't exist but you get the gist. Thanks for the replies so far guys. I already use sanitation so I'm happy to see I'm doing the same thing most people are doing there. I never trust user input. Seems to be a golden rule, never trust input be valid.

  • 0
  On 08/07/2013 at 23:10, xorangekiller said:

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

 

It's just a common design pattern, people have implemented it in all kinds of languages for several years. I'm not sure who 'invented' the repository pattern but I believe it was popularised in 2002 after being featured in Martin Fowler's "Patterns of Enterprise Application Architecture", that's the first book I remember referencing the repository pattern anyway.

  • 0
  On 08/07/2013 at 23:10, xorangekiller said:

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

It's fairly common term in my experience, but then I was a web dev for 2 years before my current job, so I could be biased. I can't really say I've seen it used out of web dev.

It's an OOP design pattern used to abstract away the implementation of data storage, so that the "Repository" object can be modified (or replaced entirely) without the dependent objects being aware of the changes. An ideal repository could look and act like a standard in-memory container class, providing methods for adding, removing and updating the stored objects.

This topic is now closed to further replies.
  • Posts

    • eM Client 10.3.2412.0 by Razvan Serea eM Client is a full featured e-mail client with a modern and easy to use interface. eM Client also offers calendar, tasks, contacts and chat. eM Client supports all major services including Gmail, Exchange, iCloud, and Outlook.com. You can easily import your data from most of the other e-mail clients. This includes Microsoft Outlook, Outlook Express, Windows Mail, Windows Live Mail, Thunderbird, The Bat and more. eM Client fully supports touch devices like touch-enabled laptops, tablets and hybrid devices. Use your email client easily in a modern way. eM Client PRO vs. Free version While the Free license allows you to set up the maximum of two accounts in the application, it is possible to add an unlimited number of accounts with the PRO license. The PRO license also enables you to use eM Client for commercial purposes. Commercial use is any activity that helps you make profit, the Free license therefore cannot be used in company settings or on personal computers for business correspondence. PRO users also gain access to the dedicated support system and to the licensing manager. eM Client has been fully optimized to run smoothly on Windows Vista, 7, 8, 10 and 11. eM Client 10.3.2412.0 changelog: Added support for invitation forwarding on IceWarp servers Moving message from POP3 account to local folders no longer deletes the message from POP3 server storage Fixed an issue with some spellcheck languages that might have caused crashes (hungarian, danish and more) Fixed a conflict between a shortcut for a new message with some special characters in some languages (ie. polish) More bug fixes Download: eM Client 10.3.2412 | 128.0 MB (Free, paid upgrade available) View: eM Client Website | eM Client Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • It sometimes comes down to leadership. Where Panos Panay was more about new features and strageic ads, the new lead for Windows seems to be more about fixing performance and consistency along with moving more components to the new settings app. Also for the first time, the Xbox team is allowed to play under the hood and tweaking the OS for what could be a Game Ready Edition. I like the new direction but it was a longer than expected journey.
    • my hard drive is all most full i have 100gig left .but i have a 2TB Expansion hardrive it said on back of the box that it dont need formatting ,how can i have windows updates to save to the 2tb hard drive,the drive is seagate HDD can  i put data of my full hardrive on to the 2TB HDD. I have windows 11 thank you nick
    • nah they were moved to trying to jam Copilot into everything now
  • Recent Achievements

    • Week One Done
      BlakeBringer earned a badge
      Week One Done
    • Week One Done
      Helen Shafer earned a badge
      Week One Done
    • First Post
      emptyother earned a badge
      First Post
    • Week One Done
      Crunchy6 earned a badge
      Week One Done
    • One Month Later
      KynanSEIT earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      652
    2. 2
      ATLien_0
      269
    3. 3
      Michael Scrip
      232
    4. 4
      Steven P.
      164
    5. 5
      +FloatingFatMan
      152
  • Tell a friend

    Love Neowin? Tell a friend!