[annotator-dev] Annotator store for MySQL

Sat Oct 20 01:31:27 UTC 2012

Hi Nick,

No worries, your feedback is highly appreciated actually.

This is the first version of our migration work, and I do think it is a
good idea to confirm with our developer who did this work to see if there
is any potential risk of SQL injection, I will do that and let you guys
know.

It is always good to hear feedback and have discussion around tech, so keep
up doing it :)

Kind regards,
Johnny

On Sat, Oct 20, 2012 at 10:29 AM, Nick Stenning <nick at whiteink.com> wrote:

> Well that was rather rude of me. I saw a "%s" and reacted viscerally.
> It looks like I might be completely wrong, though. While I'm not
> totally familiar with the MySQLdb module, I guess the
> cur.execute("select from ... where id = %s", _id) pattern isn't
> sql-injection susceptible.
>
> My apologies,
> N
>
> P.S. Although understanding what SQL injection is and knowing how to
> defend against it are still obviously good things!
>
> On Sat, Oct 20, 2012 at 12:20 AM, Nick Stenning <nick at whiteink.com> wrote:
> > Johnny,
> >
> > It's great that you're looking into running Annotator on an SQL data
> > store. I've had a quick look at the files you sent over, and I cannot
> > recommend strongly enough that you read up on SQL injection attacks,
> > and how to protect your applications from them. Your code is trivially
> > susceptible to this kind of exploit, and I'd suggest you're very
> > careful about where you use it.
> >
> > Best wishes -- not intending to be a total spoilsport,
> > Nick
> >
> > On Fri, Oct 19, 2012 at 11:26 AM, johnny jiang
> > <johnny.nan.jiang at gmail.com> wrote:
> >> Hi folks,
> >>
> >> Here you go all the files required to get the annotator datastore
> working
> >> with MySQL.
> >>
> >> Please refer to readme.txt for instructions, please feel free to let me
> know
> >> if any questions.
> >>
> >> Kind regards,
> >> Johnny
> >>
> >>
> >> On Wed, Oct 17, 2012 at 4:17 AM, Randall Leeds <tilgovi at hypothes.is>
> wrote:
> >>>
> >>> On Tue, Oct 16, 2012 at 7:06 AM, Rufus Pollock <rufus.pollock at okfn.org
> >
> >>> wrote:
> >>> > Definitely interested. If we could use SQLAlchemy for this (we had an
> >>> > sql version before) then we should be able to switch the exact RDBMS
> >>> > pretty easily!
> >>>
> >>> Very interested as well.
> >>>
> >>> >
> >>> > Rufus
> >>> >
> >>> > On 16 October 2012 12:53, johnny jiang <johnny.nan.jiang at gmail.com>
> >>> > wrote:
> >>> >> Hi guys,
> >>> >>
> >>> >> Recently we've completed migrating Annotator store from
> elasticsearch +
> >>> >> python to MySQL (still needs elasticsearch and python, just use
> MySQL
> >>> >> as
> >>> >> data store), I was wondering if anyone is interested in it so I'm
> happy
> >>> >> to
> >>> >> share it?
> >>> >>
> >>> >> Kind regards,
> >>> >> Johnny
> >>> >>
> >>> >>
> >>> >> _______________________________________________
> >>> >> annotator-dev mailing list
> >>> >> annotator-dev at lists.okfn.org
> >>> >> http://lists.okfn.org/mailman/listinfo/annotator-dev
> >>> >>
> >>> >
> >>> >
> >>> >
> >>> > --
> >>> > Co-Founder, Open Knowledge Foundation
> >>> > Promoting Open Knowledge in a Digital Age
> >>> > http://www.okfn.org/ - http://blog.okfn.org/
> >>> >
> >>> > _______________________________________________
> >>> > annotator-dev mailing list
> >>> > annotator-dev at lists.okfn.org
> >>> > http://lists.okfn.org/mailman/listinfo/annotator-dev
> >>
> >>
> >>
> >> _______________________________________________
> >> annotator-dev mailing list
> >> annotator-dev at lists.okfn.org
> >> http://lists.okfn.org/mailman/listinfo/annotator-dev
> >>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/annotator-dev/attachments/20121020/f54961b9/attachment-0002.html>