Ignite row count

[naleeha]

No description provided.

[netlify]

✅ Deploy Preview for papaya-valkyrie-395400 canceled.

Name	Link
🔨 Latest commit	91c0623
🔍 Latest deploy log	https://app.netlify.com/sites/papaya-valkyrie-395400/deploys/65d63b5cd5e52600092a34fc

[chrisjstevo]

Would we need to put a guard around this? I guess not as there should always be a count (even if its zero)

[naleeha]

yes and we need generally error handling in the whole on the ignite order store + ignite order data provider.
Started and parked the refactoring because multiple PR is touching this file.
Created dedicated issue #1216

[chrisjstevo]

One thing we should think about is whether we'd want to parametrize the sql statement, at the moment I think we'd be vulnerable to a sql injection attack on the where clause. Obv this is not a problem for the demo, but something we might want to clarify from a usage perspective.

Would be interested in @rumakt 's views on this.

[naleeha]

On the ignite side?
On the vuu side the sql filter query is generated from our ui filter query syntax.
Do you mean the interface for this method should not accept a string filter query or worried about attacker sending their own VUU sql syntax via the websocket?

[chrisjstevo]

I'd be worried about an attacker submitting something like this:

columnName ='FOO';DELETE * FROM Orders' in a filter statement and it making its way all the way to Ignite.

I'm not sure if Ignite supports prepared statements:

"Select * from Orders Where column = ?"

And we get the driver/client lib to do the software parse, (so that a sql attack can't happen) then we do like this:

query.setParameter(0, );

If that makes sense. Its not a problem for the demo code, but might imply the string concat is ok in prod system.