• 0

Repository - your implementations


Question

The repository pattern seems to be really popular for isolation and testing purposes. I was just curious in a general description how do you guys keep your repositories safe? Because if someone accesses a generic repository that isn't supposed to they could run all kinds of commands on your database. So what types of checks do you implement at the repository level?

 

EDIT: I'm not asking for in-depth examples btw, I know how to do basic authentication/authorization checks I'm just more curious if people are using better methods then what I currently know. I love to research how to improve my programming :)

Link to comment
https://www.neowin.net/forum/topic/1163292-repository-your-implementations/
Share on other sites

13 answers to this question

Recommended Posts

  • 0

What do you mean by "generic repository"? Can you give an example?

Securely performing data access is a fairly big topic. At the very least you should be sanitizing your inputs. A repository object allows you to encapsulate this, so that you can hide the implementation details from people using your code.

Pseudocode example:

 

class Person
{
    public string Forename;
    public string Surname;
    public string DateOfBirth;
}

interface IRepository<T>
{
    void Insert(T item);
}

class PersonRepository : IRepository<Person>
{
    Person FindByName(string forename, string surname)
    {
       // Code to find person, with names sanitized appropriately, or using proper database objects.
    }

    void Insert(Person item)
    {
        // Code to insert person, with person's information sanitized appropriately, or using proper database objects.
    }
}
If you do the code to sanitize the database input inside the repository, your calling code can provide any kind of junk, and the repository should just spit out an error (or escape any risky code before running it).

Example:

 

    PersonRepository repo = new PersonRepository();

    Person p;

    // Try an SQL injec
(I tried to give an example, but I guess the forum blocks it as an SQL injection attempt :rofl:)
  • 0
  Quote

 

If you do the code to sanitize the database input inside the repository, your calling code can provide any kind of junk, and the repository should just spit out an error (or escape any risky code before running it).

void Insert(Person item) { }

but.. With this approach, how do you know if the Insert() method was successful, contains warnings or errors?

  • 0
  On 07/07/2013 at 22:37, WinRT said:
void Insert(Person item) { }
but.. With this approach, how do you know if the Insert() method was successful, contains warnings or errors?

Off the top of my head, there are two possible approaches.

  • Throw an exception, and wrap the call in a try/catch block. Then if the insert fails at any point, throw the exception and get the caller to handle it. This would probably be my preference because it forces the caller to deal with the exception case.
  • Have a returnable "RepositoryInsertResult" class that describes the state of the repository after the insert. Then the caller can query the result and identify what, if anything, went wrong.
  • 0
  On 07/07/2013 at 22:50, Majesticmerc said:

Off the top of my head, there are two possible approaches.

  • Throw an exception, and wrap the call in a try/catch block. Then if the insert fails at any point, throw the exception and get the caller to handle it. This would probably be my preference because it forces the caller to deal with the exception case.
  • Have a returnable "RepositoryInsertResult" class that describes the state of the repository after the insert. Then the caller can query the result and identify what, if anything, went wrong.

 

 

Ok I have heard that try/catch blocks cause some performance hit and I dont want them in my callers, so I use the return class method like this:

public enum MessageType
{
   OK,
   Warning,
   Error
}

public class Message
{
   public string Text { get; set; }
   public MessageType Type { get; set; }
   public void Set(string text, MessageType type) { }
   public void Set(Exception e) { }
}

//In the repository...
public Message Insert(Person item)
{
   //...
}

?

 I use ASP.NET MVC4 btw :)

  • 0

The preformance hit of try catch is nothing to worry about.  As if the code is done right it shouldn't fail.  Most adapters will throw exceptions anyways so you need to catch them.  As for basic logic, #1.. make sure your db uses proper users/passwords.  You could have a server that runs the queries and have clients that connect and use sessions and request data that way.  You could have tables in the db itself that handle sessions, w/ ip's and accounts.  There are tonnes of different security implementations you could use.

  • 0
  On 07/07/2013 at 23:33, WinRT said:

Ok I have heard that try/catch blocks cause some performance hit 

And testing for return codes also causes a performance hit, branches are far from free on modern CPUs. However you handle error conditions, it's going to cost something.

  • Like 2
  • 0

I was thinking something similar to the evn show when I first saw the question, then I considered a custom repository for a specific program. I use git+gitolite for my source code repository management, but I don't think that is too devious. The latter interpretation of your question I have attempted only once. I implemented a hosted repository in one of my larger programs. I simply hosted zip files in a single directory on a web server on the internal LAN. At first I had the repository location and names of the zips hard-coded into the program, but I eventually allowed the repository URL to be set by the user and hosted a libconfig configuration file that contained metadata about each zip hosted in the repository. It was not a complex implementation, but it worked for my purposes.

  • 0

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

  • 0
  On 08/07/2013 at 23:03, Majesticmerc said:

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

 

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

  • 0
  On 08/07/2013 at 23:03, Majesticmerc said:

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

Yeah I was. I just was thinking for an MVC web site if you have a repository pattern (internal of course, not publically accessed), if someone compromises your system what types of security measures do you have in place in case someone finds a way to call MyRepository.DeleteAllData(); // granted, such a silly function wouldn't exist but you get the gist. Thanks for the replies so far guys. I already use sanitation so I'm happy to see I'm doing the same thing most people are doing there. I never trust user input. Seems to be a golden rule, never trust input be valid.

  • 0
  On 08/07/2013 at 23:10, xorangekiller said:

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

 

It's just a common design pattern, people have implemented it in all kinds of languages for several years. I'm not sure who 'invented' the repository pattern but I believe it was popularised in 2002 after being featured in Martin Fowler's "Patterns of Enterprise Application Architecture", that's the first book I remember referencing the repository pattern anyway.

  • 0
  On 08/07/2013 at 23:10, xorangekiller said:

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

It's fairly common term in my experience, but then I was a web dev for 2 years before my current job, so I could be biased. I can't really say I've seen it used out of web dev.

It's an OOP design pattern used to abstract away the implementation of data storage, so that the "Repository" object can be modified (or replaced entirely) without the dependent objects being aware of the changes. An ideal repository could look and act like a standard in-memory container class, providing methods for adding, removing and updating the stored objects.

This topic is now closed to further replies.
  • Posts

    • Yes while it's still a great browser it seems bloated more with each update by things I'm not the least interested in
    • We now know why Nvidia blocked yet another review, the new RTX 5050 is apparently terrible by Sayan Sen With its latest RTX 5000 series of GPUs, Nvidia has not been transparent with how its cards perform. The company did not ship review drivers for the RTX 5060 on launch day and has repeated the same deed with the new RTX 5050 as well. For those who may not have followed, Nvidia unveiled the GeForce RTX 5050 last month for $249 and released the Game Ready driver for the card this month with version 576.88. As such, the RTX 5050 has now been tested by Korean site Quasar Zone where the GPU has been compared against other cards that are priced around that same bracket. The site has found that Nvidia's new entry-level offering is worse than Intel's Arc B580, a card that launched around six months ago for the same price. As you can see in the image above, the Arc B580 was slightly faster on average. The biggest gap between the two was on Path of Exile 2. Another point in favor of the Arc GPU is that it has 12 Gigs of video memory whereas the RTX 5050 only has 8 GB. The 5050 was also pitted against Nvidia's last gen RTX 4060 as well as AMD's RX 7600, both of which are also 8 Gig cards. The 7600 is often found at around $250 these days while the RTX 4060 frequents around $275. The RTX 5050 is essentially neck and neck with the 4060 and is ever so slightly faster than the RX 7600. Once again this just highlights that Nvidia is essentially giving the same kind of performance that Intel and AMD GPUs have provided since last year or so. In fact, if we consider the Radeon RX 6600 and 6650 XT GPUs, which have been available for around $180 to $220 in the past, it becomes clearer just how bad of a value the RTX 5050 is as those 6000 series AMD cards probably get pretty close to the 5050 in rasterization throughput. Chances of something like "Fine Wine" are also slim given that the RTX 5050 just does not seem to have the hardware resources to pull off something like that later in this lifespan. If anything, we are more likely to see that happen from the Intel B580 GPU or AMD's $299 RX 9060 (there is already evidence of that). Source and images: Quasar Zone
    • A messaging network full of adult content. Ewww. 🤮
    • Why does Vivaldi feels slow to me than any other Chromium browsers? 😭 Anyone here like me?
  • Recent Achievements

    • First Post
      loose_observer earned a badge
      First Post
    • Week One Done
      BeeJay_Balu earned a badge
      Week One Done
    • Week One Done
      filminutz earned a badge
      Week One Done
    • Reacting Well
      SteveJaye earned a badge
      Reacting Well
    • One Month Later
      MadMung0 earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      446
    2. 2
      ATLien_0
      161
    3. 3
      +FloatingFatMan
      146
    4. 4
      Nick H.
      65
    5. 5
      +thexfile
      62
  • Tell a friend

    Love Neowin? Tell a friend!