-
|
I was looking at project-m36/docs/tutd_tutorial.markdown and came across the quote in the title. What should I use then? Or is it saying project m36 is not suitable for production uses? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
|
I read more of the docs, and it seems for production, haskell client is recommended. |
Beta Was this translation helpful? Give feedback.
-
|
Indeed, we should clarify that statement. Like SQL, TutorialD offers a quick way to learn and experiment with the relational algebra. As in SQL, string concatentation could be used to create unsafe scenarios such as with SQL/TutorialD injection vectors. However, unlike SQL, TutorialD is parsed on the client into its constituent Haskell representation, so TutorialD is never used in remote procedure calls. As a compromise, we plan to support template-haskell-based TutorialD to be compiled within Haskell source, similar to parameterized SQL queries, but parsed and type-checked at Haskell compile time. It might look something like this: do
let myName = "Blake"
res <- [tutd|s where sname = $myName|]where In summary, we'll amend that statement to make it clearer under what circumstances using TutorialD makes sense. |
Beta Was this translation helpful? Give feedback.
-
|
That's a shame. As great of a language Haskell is, sadly other languages are more widely used. I think it's easier to convince people to try just a new database, rather than that and a new language. |
Beta Was this translation helpful? Give feedback.
-
|
Well, like many databases, Project:M36 supports external client APIs. Project:M36, in particular supports a JSON API over websockets which has an existing javascript client library. For reasons of type safety and ease-of-integration, we recommend but not require Haskell for this use-case. |
Beta Was this translation helpful? Give feedback.
-
|
Is the JSON API over websockets vulnerable to injection attacks? |
Beta Was this translation helpful? Give feedback.
-
|
Well, sort of- the TutorialD is parsed into a JSON structure (compatible with the backend ADT) which the client can then manipulate further, if desired. Nothing prevents a naive user from concatenating strings to build a TutorialD string, which could potentially include an injection attack. However, Project:M36 is different in that the server query protocol does not include the original TutorialD string. We're actually working on a template haskell means of writing parameterized TutorialD safely within Haskell. |
Beta Was this translation helpful? Give feedback.
Indeed, we should clarify that statement.
Like SQL, TutorialD offers a quick way to learn and experiment with the relational algebra. As in SQL, string concatentation could be used to create unsafe scenarios such as with SQL/TutorialD injection vectors. However, unlike SQL, TutorialD is parsed on the client into its constituent Haskell representation, so TutorialD is never used in remote procedure calls.
As a compromise, we plan to support template-haskell-based TutorialD to be compiled within Haskell source, similar to parameterized SQL queries, but parsed and type-checked at Haskell compile time. It might look something like this: