• 0

Repository - your implementations


Question

The repository pattern seems to be really popular for isolation and testing purposes. I was just curious in a general description how do you guys keep your repositories safe? Because if someone accesses a generic repository that isn't supposed to they could run all kinds of commands on your database. So what types of checks do you implement at the repository level?

 

EDIT: I'm not asking for in-depth examples btw, I know how to do basic authentication/authorization checks I'm just more curious if people are using better methods then what I currently know. I love to research how to improve my programming :)

Link to comment
https://www.neowin.net/forum/topic/1163292-repository-your-implementations/
Share on other sites

13 answers to this question

Recommended Posts

  • 0

What do you mean by "generic repository"? Can you give an example?

Securely performing data access is a fairly big topic. At the very least you should be sanitizing your inputs. A repository object allows you to encapsulate this, so that you can hide the implementation details from people using your code.

Pseudocode example:

 

class Person
{
    public string Forename;
    public string Surname;
    public string DateOfBirth;
}

interface IRepository<T>
{
    void Insert(T item);
}

class PersonRepository : IRepository<Person>
{
    Person FindByName(string forename, string surname)
    {
       // Code to find person, with names sanitized appropriately, or using proper database objects.
    }

    void Insert(Person item)
    {
        // Code to insert person, with person's information sanitized appropriately, or using proper database objects.
    }
}
If you do the code to sanitize the database input inside the repository, your calling code can provide any kind of junk, and the repository should just spit out an error (or escape any risky code before running it).

Example:

 

    PersonRepository repo = new PersonRepository();

    Person p;

    // Try an SQL injec
(I tried to give an example, but I guess the forum blocks it as an SQL injection attempt :rofl:)
  • 0
  Quote

 

If you do the code to sanitize the database input inside the repository, your calling code can provide any kind of junk, and the repository should just spit out an error (or escape any risky code before running it).

void Insert(Person item) { }

but.. With this approach, how do you know if the Insert() method was successful, contains warnings or errors?

  • 0
  On 07/07/2013 at 22:37, WinRT said:
void Insert(Person item) { }
but.. With this approach, how do you know if the Insert() method was successful, contains warnings or errors?

Off the top of my head, there are two possible approaches.

  • Throw an exception, and wrap the call in a try/catch block. Then if the insert fails at any point, throw the exception and get the caller to handle it. This would probably be my preference because it forces the caller to deal with the exception case.
  • Have a returnable "RepositoryInsertResult" class that describes the state of the repository after the insert. Then the caller can query the result and identify what, if anything, went wrong.
  • 0
  On 07/07/2013 at 22:50, Majesticmerc said:

Off the top of my head, there are two possible approaches.

  • Throw an exception, and wrap the call in a try/catch block. Then if the insert fails at any point, throw the exception and get the caller to handle it. This would probably be my preference because it forces the caller to deal with the exception case.
  • Have a returnable "RepositoryInsertResult" class that describes the state of the repository after the insert. Then the caller can query the result and identify what, if anything, went wrong.

 

 

Ok I have heard that try/catch blocks cause some performance hit and I dont want them in my callers, so I use the return class method like this:

public enum MessageType
{
   OK,
   Warning,
   Error
}

public class Message
{
   public string Text { get; set; }
   public MessageType Type { get; set; }
   public void Set(string text, MessageType type) { }
   public void Set(Exception e) { }
}

//In the repository...
public Message Insert(Person item)
{
   //...
}

?

 I use ASP.NET MVC4 btw :)

  • 0

The preformance hit of try catch is nothing to worry about.  As if the code is done right it shouldn't fail.  Most adapters will throw exceptions anyways so you need to catch them.  As for basic logic, #1.. make sure your db uses proper users/passwords.  You could have a server that runs the queries and have clients that connect and use sessions and request data that way.  You could have tables in the db itself that handle sessions, w/ ip's and accounts.  There are tonnes of different security implementations you could use.

  • 0
  On 07/07/2013 at 23:33, WinRT said:

Ok I have heard that try/catch blocks cause some performance hit 

And testing for return codes also causes a performance hit, branches are far from free on modern CPUs. However you handle error conditions, it's going to cost something.

  • Like 2
  • 0

I was thinking something similar to the evn show when I first saw the question, then I considered a custom repository for a specific program. I use git+gitolite for my source code repository management, but I don't think that is too devious. The latter interpretation of your question I have attempted only once. I implemented a hosted repository in one of my larger programs. I simply hosted zip files in a single directory on a web server on the internal LAN. At first I had the repository location and names of the zips hard-coded into the program, but I eventually allowed the repository URL to be set by the user and hosted a libconfig configuration file that contained metadata about each zip hosted in the repository. It was not a complex implementation, but it worked for my purposes.

  • 0

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

  • 0
  On 08/07/2013 at 23:03, Majesticmerc said:

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

 

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

  • 0
  On 08/07/2013 at 23:03, Majesticmerc said:

He states in the OP that he's talking about the "Repository Pattern", as well as references to database access, so I would presume that to be referring to the actual Repository Pattern, a technique used to abstract away data storage.

Yeah I was. I just was thinking for an MVC web site if you have a repository pattern (internal of course, not publically accessed), if someone compromises your system what types of security measures do you have in place in case someone finds a way to call MyRepository.DeleteAllData(); // granted, such a silly function wouldn't exist but you get the gist. Thanks for the replies so far guys. I already use sanitation so I'm happy to see I'm doing the same thing most people are doing there. I never trust user input. Seems to be a golden rule, never trust input be valid.

  • 0
  On 08/07/2013 at 23:10, xorangekiller said:

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

 

It's just a common design pattern, people have implemented it in all kinds of languages for several years. I'm not sure who 'invented' the repository pattern but I believe it was popularised in 2002 after being featured in Martin Fowler's "Patterns of Enterprise Application Architecture", that's the first book I remember referencing the repository pattern anyway.

  • 0
  On 08/07/2013 at 23:10, xorangekiller said:

Thanks for the very informative link. I completely missed the reference in the OP, probably because I had never head of a "Repository Pattern" before. Is that a Microsoft-ism, or a language/technology-specific term? I admit that I don't know C# and don't work with Microsoft technology much anymore, but it is not something I have ever come across before in my work.

It's fairly common term in my experience, but then I was a web dev for 2 years before my current job, so I could be biased. I can't really say I've seen it used out of web dev.

It's an OOP design pattern used to abstract away the implementation of data storage, so that the "Repository" object can be modified (or replaced entirely) without the dependent objects being aware of the changes. An ideal repository could look and act like a standard in-memory container class, providing methods for adding, removing and updating the stored objects.

This topic is now closed to further replies.
  • Posts

    • notice how the green doctrine went out the window now that they need their AI spy machines? F all these people.
    • If only publishers felt the same... They don't, so Steam is... well, losing steam.
    • Xbox is going a new route. This girl is just upset because she was ignored and has a different opinion. My opinion is the stretching out of Xbox to other platforms is awesome! Having a unified software model on different platforms is the future. Focusing on one device is so 1990's. The basic hardware is no longer the focus of the majority user base. It's the software, and the availability of optional hardware solutions. Heck, if one size fit all we'd all be using iPhones. This doesn't happen in the real world. And Xbox is going that route. Hats off to Microsoft in this move.
    • AMD 25.6.3 driver brings FSR 4 support for GTA V and Monster Hunter Wilds by Pulasthi Ariyasinghe AMD's driver team is busy this June. The company just released its third graphics driver of the month, and this one is focused on expanding support for FidelityFX Super Resolution 4 (FSR 4) upscaling tech. A handful of bug fixes are included in this release, too. AMD Software: Adrenalin Edition 25.6.3 optional driver is finally bringing FSR 4 support for Monster Hunter: Wilds, the Capcom-developed action RPG that released earlier this year. The title is well known for its performance issues, so the FSR update should help RX 9000 series owners get more frames without losing too much graphics fidelity. Next, the driver also delivers FSR 4 for Grand Theft Auto V Enhanced. The expanded and enhanced version of the title featuring ray tracing and other features only hit the PC platform a few months ago, and now, latest-generation Radeon graphics users can use the upscaling tech to improve their frame rates. AMD has also fixed an issue with FSR 4 in this release that made the technology not enable properly on a bunch of games. They include DragonKin: The Banished, Blades of Fire, RoadCraft, The Alters, Star Wars Outlaws, and S.T.A.L.K.E.R. 2: Heart of Chornobyl. A Black Myth: WuKong crash on the RX 7650 GRE GPU and a The Elder Scrolls IV: Oblivion Remastered texture corruption issue on the RX 9070 XT have also been resolved in this release. Here are the known issues that AMD is still working on: Stutter may be observed while playing games with some VR headsets at 80Hz or 90Hz refresh rate on some AMD Radeon™ Graphics Products, such as the Radeon™ RX 7000 series. Users experiencing this issue are recommended to change the refresh rate as a temporary workaround. Intermittent system or application crashes may be observed while playing Cyberpunk 2077 on some AMD Radeon™ Graphics Products, such as the Radeon™ RX 7000 series and Radeon™ RX 9000 series. Intermittent application crash or driver timeout may be observed while playing Monster Hunter Wilds with Radeon™ Anti-Lag and Instant Replay enabled. Stutter may be observed while playing Call of Duty: Warzone Season 03 ‘Verdansk’ map on some AMD Graphics Products. Stutter and lower-than-expected performance may be observed while playing 4K resolution YouTube videos in Chrome. Users experiencing this issue are recommended to play videos in full screen as a temporary workaround. The new AMD Software: Adrenalin Edition 25.6.3 optional update is now available for download from the AMD Software app as well as AMD's own changelog page for the driver.
  • Recent Achievements

    • One Year In
      timothytoots earned a badge
      One Year In
    • One Month Later
      CHUNWEI earned a badge
      One Month Later
    • Week One Done
      TIGOSS earned a badge
      Week One Done
    • First Post
      henryj earned a badge
      First Post
    • First Post
      CarolynHelen earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      474
    2. 2
      +FloatingFatMan
      197
    3. 3
      ATLien_0
      162
    4. 4
      Xenon
      79
    5. 5
      Som
      76
  • Tell a friend

    Love Neowin? Tell a friend!