Nova postagem

Pesquisar

Artigo
· Set. 22, 2024 1min de leitura

Lidando com NULL em SQL

#ObjectScript #SQL #Caché #InterSystems IRIS

Rubrica InterSystems FAQ

No SQL, dados NULL e a string vazia ('') são dados diferentes. O método para definir e checar cada uma é como se segue

(1) dado NULL

[SQL] 

insert into test(a) values(NULL)
select * from test where a IS NULL

[InterSystems ObjectScript]

set x=##class(User.test).%New()
set x.a=""

(2) String Vazia ('')

[SQL]

insert into test(a) values('')
select * from test where a = ''

[InterSystems ObjectScript]

set x=##class(User.test).%New()
set x.a=$C(0)

Para mais informações, por favor veja os seguintes documentos:

NULL e strings vazias [IRIS]
NULL e strings vazias

Discussão (0)1
Entre ou crie uma conta para continuar
Artigo
· Set. 22, 2024 1min de leitura
Open Exchange

SMART on FHIR app - Sample with Hands-on Exercise/Workshop Instructions

#Angular #Nuvem #FHIR #OAuth2 #InterSystems IRIS for Health

Based on a great sample and workshop built by @Luis Angel Pérez Ramos (see related articles and related Open Exchange app), which included a local InterSystems IRIS for Health container (and desired setup), this sample presented here, adapted the workshop for using the InterSystems Cloud FHIR Server, and it's related setup.

The related Open Exchange and GitHub repo included detailed instructions (and related screenshots) to create the desired project and flow.

See this series of short videos to accompany the steps to be performed.

Basically the steps include:

  • Setting up a Cloud FHIR Server [video]
  • Setting up an OAuth Server (auth0 by Okta) [video]
    • Creating an Application
    • Creating an API
    • Creating a User
  • Configuring the FHIR Server [video]
    • Creating an OAuth Server
    • Creating an Application
  • Adapting the app (Angular) to point to FHIR and OAuth Servers [video]
    • Adapting proxy.config.json
    • Adapting nginx.conf
    • Adapting app.module.ts
  • Testing running the app [video]
    • Examining the Login behind the scenes
    • Examining fetching and updating data behind the scenes

Enjoy!

3 Comments
Discussão (3)2
Entre ou crie uma conta para continuar
Pergunta
· Set. 22, 2024

Property of list of lists

#InterSystems IRIS for Health

Hello, i need to make property that is of type List of Lists of String (see "body_text" in JSON)

How can i make it? 

Thanks

{
  "type": "BODY",
  "text": "<TEXT>",
  
  # Required if <TEXT> string contains variables
  "example": {
    "body_text": [
      [
        <BODY_TEXT>
      ]
    ]
  }
}
1 Comment
Discussão (1)1
Entre ou crie uma conta para continuar
Artigo
· Set. 22, 2024 5min de leitura
Open Exchange

Database Management Tool

#Angular #Docker #Java #JavaScript #JDBC #REST API #InterSystems IRIS

Introduction

Managing databases and performing CRUD operations are fundamental tasks for developers building data-driven applications. While many database management systems (DBMS) exist, they can be complex and cumbersome to interact with, especially when it comes to creating databases and tables, handling constraints, and performing real-time data operations through an API.

This web-based Database Management Tool simplifies the entire process, offering an intuitive UI for managing databases and tables, alongside a powerful REST API for interacting with the data. Whether you’re a developer building a backend for your app or a data engineer needing to manage multiple databases efficiently, this tool provides a seamless and easy-to-use interface to create, update, and delete databases and tables. Additionally, it supports secure access via JWT tokens, ensuring that all data operations are performed safely.

The frontend is built with Angular 17 to provide a dynamic and responsive user experience, while the backend uses Java 21 with Spring Boot 3, ensuring high performance and scalability. The tool leverages InterSystems IRIS as the main database and Redis for caching, making data management both efficient and fast.

In this article, we will dive deep into the features of the tool and walk you through how to work with it, from setting up databases to utilizing the API for CRUD operations.

Creating Your First Database

Before you can start managing databases and tables, you'll need to create an account or log in with an existing one. This step ensures secure access to the system and enables you to manage your databases privately.

Once you are logged in, the main dashboard will give you access to all database management features. To create your first database, follow these steps:

  • Click on "Create New Database": This will open a form where you can enter the database details.
  • Enter the Database Name: Provide a unique name for your database. This name will be used to identify and manage the database.
  • Select Token Lifetime: Every database you create generates a special API token that allows you to interact with the database’s tables via REST API. You’ll need to select a lifetime for this token, choosing from one of the following options: day, week, month, year.

Creating a Table for Your Database

Once you've created your first database, the next step is to define the structure of your data by creating tables. Each table holds the data for your database, and you can customize the columns and constraints to fit your needs.

Open the Database

To start, navigate to the list of databases on your dashboard. Find the database in which you want to create a new table and click on it. This will open up the details page for the selected database.  

Create a New Table: 

  1. Click on "Create Table": Inside the database details page, you’ll see a "Create Table" button. Clicking this will open a new form where you can define your table.
  2. Enter the Table Name: In the form, provide a unique and descriptive name for your table. This name will be used to reference the table in both the UI and API.
  3. Define Table Columns: Click "Add Column": Each table consists of multiple columns, and you can add as many as needed for your data. For each column:
    1. Enter a Column Name: This will be the identifier for the column within the table.
    2. Select a Column Type: Choose from a variety of data types (e.g., String, Integer, Date, etc.) to match the kind of data that column will hold.
    3. Add Constraints: You can apply constraints such as NOT NULL, UNIQUE, or PRIMARY KEY to enforce rules on the column data.
  4. Submit the Table: Once you’ve added all your columns and set the appropriate constraints, click the "Submit" button to finalize the table creation. The new table will now appear in the list of tables for the database, ready for data entry or API operations.  

Using the API to Interact with Your Table

After creating your tables, you can start working with your data through the API, which allows you to perform CRUD (Create, Read, Update, Delete) operations on the tables. Each database has its own unique API token, which you will use to authenticate your requests to that specific database.

Access API Request Examples

Once your table is created, navigate to the Table Information Page by selecting the table from the list of tables within your database. On this page, you will find examples of the API requests you can make to interact with the table, including: get by field, get all, create, update, delete.  

Retrieve the Database API Token

To perform API operations on your table, you need to authenticate your requests with a special API token that was generated when you created the database. Here’s how to get the token:

  1. Navigate to the Database Information Page: Go back to the page for the database that contains your table.
  2. Copy the API Token: You’ll see a section with the token information. Copy this token, as it will be needed in the headers of every request you make to the API for that database.

Making a "Create" Request

Now that you have the token and have reviewed the API examples, let's add some records to your new table.

  1. Find the "Create" Request: On the Table Information Page, locate the "Create" request example. This will include the API endpoint URL and an example of the request body.     
  2. Send the Request: Using an API client (such as Postman, cURL, or any other tool), send your POST request to the API. The server will process the request and add the new record to the table.    

Getting All Records from the Table

Now that we’ve added some data to our table, let’s retrieve all the records to verify that our entries were saved correctly. The process for retrieving data is similar to creating records, but we’ll use a different API endpoint.      

Conclusion

That’s all for now! In this article, I’ve walked you through the main functionalities of this database management tool: from creating databases and tables, to performing basic CRUD operations through the REST API. However, this is just the beginning of what the application can do.

There are a variety of other features that make the tool powerful and versatile, such as:

  • Creating, updating, and deleting databases: Manage multiple databases effortlessly.
  • Customizing tables and columns: Add, modify, or remove columns, with support for various data types and constraints.
  • Extensive API access: Beyond simple CRUD operations, you can fully manage your database structures programmatically.

This tool aims to streamline database management, making it easy to organize your data and access it securely through the API. As development continues, more advanced features like custom queries, enhanced constraints, and additional column types will be added, expanding its possibilities even further.

Thank you for exploring this tool!

4 Comments
Discussão (4)2
Entre ou crie uma conta para continuar
Artigo
· Set. 21, 2024 4min de leitura

Injection SQL - une menace vaincue ?

#SQL #Segurança #InterSystems IRIS

Selon le rapport OWASP Top Ten de 2021, un document de référence reconnu dans le domaine de la sécurité des applications web, les injections SQL arrivent en troisième position des risques les plus critiques. Ce rapport, disponible sur OWASP Top 10: Injection, souligne la gravité de cette menace et la nécessité de mettre en place des mesures de protection efficaces.

Une injection SQL se produit lorsqu'un attaquant malveillant parvient à insérer du code SQL non autorisé dans une requête envoyée à une base de données. Ce code, dissimulé au sein des entrées utilisateur, peut alors être exécuté par la base de données, provoquant des actions indésirables comme le vol de données confidentielles, la modification ou la suppression d'informations sensibles, ou encore la perturbation du fonctionnement de l'application.

Que doit-on rechercher pour empêcher l’injection SQL ?

Une application est vulnérable aux attaques lorsque :

  • Les données fournies par l'utilisateur ne sont pas validées, filtrées ou nettoyées par l'application.
  • Les requêtes dynamiques ou les appels non paramétrés sans échappement sensible au contexte sont utilisés directement dans l'interpréteur.
  • Les données hostiles sont utilisées dans les paramètres de recherche de mappage objet-relationnel (ORM) pour extraire des enregistrements supplémentaires et sensibles.
  • Les données hostiles sont directement utilisées ou concaténées. Le SQL ou la commande contient la structure et les données malveillantes dans les requêtes dynamiques, les commandes ou les procédures stockées.

Les injections les plus courantes sont SQL, NoSQL, commande OS, mappage objet-relationnel (ORM), LDAP et Expression Language (EL) ou Object Graph Navigation Library (OGNL). Le concept est identique pour tous les interpréteurs.

Avant de plonger dans les techniques de prévention, il est crucial de comprendre comment les injections SQL fonctionnent.

Les attaquants peuvent exploiter des entrées utilisateur non validées pour injecter du code SQL malveillant dans une requête. Par exemple, si un utilisateur peut saisir une valeur dans un champ de recherche et que cette valeur est directement insérée dans une requête SQL sans validation (par exemple, set query = "SELECT * FROM Company.Accounts WHERE custID="_custID), un attaquant pourrait entrer une chaîne de caractères comme "1 union select * from Company.Accounts pour obtenir des détails sur tous les comptes.

Heureusement, InterSystems IRIS fournit plusieurs mécanismes pour prévenir les injections SQL :

  • Utilisation de paramètres préparés. Les paramètres préparés sont l'une des méthodes les plus efficaces pour prévenir les injections SQL. Ils séparent la structure de la requête des valeurs d'entrée, empêchant les attaquants d'injecter du code SQL malveillant. Par example le code 
 SET statement = ##class(%SQL.Statement).%New()
 DO statement.%Prepare("SELECT * FROM Library.Book where ID = ?")
 SET rs = statement.%Execute("3 union select * from library.Book")
 DO rs.%Display()

ne retournera rien.

Tandis que

 SET statement = ##class(%SQL.Statement).%New()
 DO statement.%Prepare("SELECT * FROM Library.Book where ID = ?")
 SET rs = statement.%Execute("3")
 DO rs.%Display()

retournera l'info :

  • Validation des entrées utilisateur. Valider les entrées utilisateur avant de les insérer dans des requêtes SQL est une autre mesure importante de prévention. Utilisez des expressions régulières ou des fonctions de validation appropriées pour vérifier la validité des données. Par exemple, si on utilise le code postal comme paramètre de la requête, on doit vérifier qu'il ne contient que des caractères numériques et qu'il comporte 5 caractères en general:
 SET statement = ##class(%SQL.Statement).%New()
 DO statement.%Prepare("SELECT * FROM Post.Address WHERE ZIP = ?")
 READ "Enter ZIP code: ", zip
 if zip?5N {
    SET rs = statement.%Execute(zip)
    DO rs.%Display()
    }

Ce code retournera

  • Utilisation de patterns dans les descriptions de class. Il est proche du point précédent, mais permet de vérifier l'entrée lors de l'ajout de nouvelles instances.
  • Filtrage des caractères spéciaux
    • Filtrer les caractères spéciaux qui peuvent être utilisés pour injecter du code SQL peut également aider à prévenir les attaques. Utilisez des fonctions de filtrage appropriées pour supprimer ou échapper aux caractères potentiellement dangereux.
  • Utilisation de procédures stockées
    • Les procédures stockées sont des objets de base de données qui encapsulent un ensemble d'instructions SQL. En utilisant des procédures stockées, vous pouvez centraliser la logique de votre application et réduire le risque d'injections SQL.
  • Mise à jour régulière des composants logiciels
    • Assurez-vous de mettre à jour régulièrement InterSystems IRIS et les composants logiciels connexes pour bénéficier des derniers correctifs de sécurité.

Pour conclure, les injections SQL sont une menace sérieuse pour la sécurité des applications Web. En suivant les méthodes de prévention décrites dans cet article, vous pouvez réduire considérablement le risque d'attaques d'injection SQL dans vos applications InterSystems IRIS. Il est important de combiner plusieurs techniques de prévention pour obtenir une protection maximale.

Discussão (0)2
Entre ou crie uma conta para continuar