[Laszlo-dev] OpenLaszlo + CakePHP

Max Carlson max at openlaszlo.org
Thu Jan 4 13:41:37 PST 2007 

Nate Abele wrote:
>>>>>> http://wiki.openlaszlo.org/Database_Connector
>>> I have a couple of additional thoughts on the spec that I wanted to 
>>> throw out, to get some opinions from you and the Laszlo development 
>>> community.  One thing I see lacking in the spec is the ability to 
>>> query records by specific search conditions.  One way I see of 
>>> accomplishing this is in the query string, if you have certain 
>>> 'special' keys, i.e. order, which have their own purposes, and treat 
>>> the rest of the keys as field names to search.  Following the 
>>> examples in the spec, a sample URL might look something like:
>>> /contact/search?first_name=nate
>>> or even
>>> /contact/read?first_name=nate (this one would make it easier to 
>>> maintain the CRUD method mappings)
>>
>> This makes sense to me.  All the SQL comparison operators map over 
>> pretty well, e.g. '!= nate' would naturally end up with '!' as the 
>> last part of the query key - not so bad.  The operators can be parsed 
>> out of the keys and used to assemble the query.
>>
>> != -> <>
>> <= -> <=
>> >= -> >=
>> ...
> 
> I guess the only issue i see with this, now that I think about it, is 
> the fact that you're effectively allowing the execution of arbitrary SQL 
> from the query string.  Granted, you could always lock down which 
> operations are allowed for which fields on the server side, but I think 
> it raises the larger issue of client authentication, which isn't 
> addressed in the spec.

I agree - perhaps this is too much rope to be giving people.  Given that 
developers can easily create custom methods on the server for sorting 
and filtering, this probably best left alone.

> As long as all the access is happing from within your Laszlo app, there 
> are obviously no issues, so I guess it's just a matter of verifying that 
> the client is, in fact, you Laszlo app.

Yes, but this supposes an authentication system which ash you said isn't 
addressed by the spec.  I'd prefer to keep it simple and leave 
authentication to the implementation.

-- 
Regards,
Max Carlson
OpenLaszlo.org

More information about the Laszlo-dev mailing list