[Ur] No sql_injectable(_prim) xbody (or xml in general).
Artyom Shalkhakov
artyom.shalkhakov at gmail.com
Thu Nov 2 23:19:40 EDT 2017
Hello Peter,
2017-11-03 1:59 GMT+06:00 Peter Brottveit Bock <post at peterbb.net>:
> Hi,
>
> It seems to me that it's not possible to store xml in a database. Is there
> any reason for this?
>
> My understanding of ur/web is that the xml data type is—under the
> hood—simply a string. I therefore would have thought it would be trivial to
> store it in a database.
>
>
Storing it in a database is prone to XML/HTML injection (therefore the
general case is disallowed).
If you want to store in database, then you will have to print it to a
string and then parse it back into XML/HTML (for a strictly controlled
subset of XML/HTML).
There is a library for this use-case in UPO:
https://github.com/achlipala/upo/blob/master/html.urs
> As a minimal example:
>
> ------------------
> table db : { Elem : xbody }
>
> fun display_db () =
> queryX (SELECT * FROM db)
> (fn row => row.Db.Elem)
>
> fun add_to_db (x : xbody) : transaction unit =
> dml (INSERT INTO db(Elem) VALUES ({[x]}))
>
> fun main () =
> add_to_db <xml> Hello </xml>;
> display_db ()
> ------------------
>
> fails with
> ------------------
> example.ur:5:38: (to 5:43) Can't resolve type class instance
> Class constraint:
> sql_injectable (xml ([Dyn = (), MakeForm = (), Body = ()]) ([]) ([]))
> Reduced to unresolvable:
> sql_injectable_prim
> (xml ([Dyn = (), MakeForm = (), Body = ()]) ([]) ([]))
> ------------------
>
> — Peter
>
> _______________________________________________
> Ur mailing list
> Ur at impredicative.com
> http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
>
--
Cheers,
Artyom Shalkhakov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.impredicative.com/pipermail/ur/attachments/20171103/f2ca42b0/attachment.html>
More information about the Ur
mailing list