[Rails] Re: Best Practices: Escaping text on input or output?
Jon Smirl
jonsmirl at gmail.com
Wed Feb 1 00:31:31 GMT 2006
On 1/31/06, Ben Munat <bent at munat.com> wrote:
> I have been gradually working my way around to the opinion that the application
> architecture as layer cake is a flawed model. Rather my new paradigm states that
> the application code -- the *model* -- is the defensive core and *all* approaches
> must be throroughly guarded: including data from the db.
>
> Historically this is a reasonable position simply because there's always someone with
> command-line access to the db. I have seem plenty of situations where bad data
> caused an error... and the client didn't give a damn that it was his data that caused
> the error. More recently, web services have created another route into the app that
> avoids the UI layer. And -- despite DHH's claim to using "application" dbs over
> "integration" dbs -- it is extremely likely that someday the powers that be will want
> another app to talk to the same db.
Multiple apps accessing the same db is why you put your business logic
and validation rules into stored procedures. Then set the privs on the
tables so that no one can get to them, thus forcing everyone to use
the stored procedures.
If you try to reimplement the business logic in every app that touches
the db you violate DRY. And for sure, somewhere the two
implementations won't be identical.
I'd like to see better integration of stored procedures into RoR.
--
Jon Smirl
jonsmirl at gmail.com
More information about the Rails
mailing list