** Please visit https://speakerdeck.com/mosky/mosql-more-than-sql-but-less-than-orm-at-pycon-apac-2013 for the newer slide. :)
It is the slides of the talk, "MoSQL: More than SQL, but Less than ORM", at PyCon TW 2013.
About MoSQL:
MoSQL is a Python library which lets you use common Python’s data structures to build SQLs, and provides a convenient model of result set.
http://mosql.mosky.tw/
2. 2
More than SQL, but Less than ORMMore than SQL, but Less than ORM
MoSQLMoSQL
3. 3
OutlineOutline
● Why not SQL?Why not SQL?
● Why ORM?Why ORM?
● MoSQLMoSQL
– SQL BuildersSQL Builders
– Model of Result SetModel of Result Set
● ConclusionConclusion
5. 5
SQL SyntaxSQL Syntax
● SELECT * FROM article;SELECT * FROM article;
● SELECT * FROM article LIMIT 1;SELECT * FROM article LIMIT 1;
● add “ ORDER BY created ”?add “ ORDER BY created ”?
● add “ OFFSET 10 ”?add “ OFFSET 10 ”?
● add “ GROUP BY author ”?add “ GROUP BY author ”?
● Is “ UPDATE article WHERE title='SQL' SETIs “ UPDATE article WHERE title='SQL' SET
title='ORM' ” correct?title='ORM' ” correct?
7. 7
SQL InjectionSQL Injection
● ') or '1'='1') or '1'='1
● ' or true; --' or true; --
● ' or 1=1; --' or 1=1; --
● ' or 2=2; --' or 2=2; --
● ' or 'str'='str'; --' or 'str'='str'; --
● ……
8. 8
It may be hacker friendly.It may be hacker friendly.
15. 15
SQL InjectionSQL Injection
● ' or true; --' or true; --
● ' or 1=1; --' or 1=1; --
● ' or 1=1; #' or 1=1; #
● ' or 1=1; /*' or 1=1; /*
● ') or '1'='1') or '1'='1
● ……
● SaferSafer
37. 37
Model: Pop and AppendModel: Pop and Append
>>> d = Detail.where(>>> d = Detail.where(person_id='mosky', key='email'person_id='mosky', key='email'))
>>>>>> p.pop(-1)p.pop(-1)
>>>>>> p.append({'val': '<new mail>'})p.append({'val': '<new mail>'})
>>> p.save()>>> p.save()
40. 40
SecuritySecurity
● Security by default.Security by default.
● Use escaping technique.Use escaping technique.
● Prevent SQL injection from both valuePrevent SQL injection from both value
and identifier.and identifier.
● Passed the tests fromPassed the tests from sqlmapsqlmap at level=5at level=5
and risk=3.and risk=3.