c# - Why not reveal the type and identity of the source to the client? -


on page 220, c# language specification version 5.0 says:

it important ... ensure result of query expression never source object itself, reveal type , identity of source client of query.

why problematic reveal type , identity of source client of query?

as example, query expression of form from c in customers select c translates customers.select(c => c) instead of customers.

in above case, seems me returning customers client returning results of customers.select(c => c). why isn't it?

though robert mckee's answer plausible , raises interesting point, not primary issue had in mind when writing section of specification. issue had in mind this:

class c  {   private list<int> mylist = new list<int>();   // code in c can add items list.   public ienumerable<int> items    {         {       return item in mylist select item;     }   } }

suppose have c in hand. should able write code?

((list<int>)c.items).add(123);

the existence of query on list should not grant code obtains query ability change list! should grant code right execute query , no more.

now imagine instead of list<int>, query wrapping database call. if caller can obtain underlying database query perhaps can make queries or edits database author of query did not intend them make.

of course, linq not designed security system, , if line of defense against code wants attack database, you're pretty vulnerable. security systems work better when components use "defense in depth". not ever leaking collection query querying part of defensive strategy.

for more on feature, see article on subject:

http://blogs.msdn.com/b/ericlippert/archive/2008/05/12/trivial-projections-are-usually-optimized-away.aspx


Comments

Post a Comment

Popular posts from this blog

php - failed to open stream: HTTP request failed! HTTP/1.0 400 Bad Request -

this code i'm using find latitude , longitude of place: function coords($address){ echo $url="http://maps.googleapis.com/maps/api/geocode/json?address=".$address; $json = file_get_contents(urlencode($url)); $data = json_decode($json, true); print_r($data['results'][0]['geometry']['location']['lat']); print_r($data['results'][0]['geometry']['location']['lng']); } however returns warning: failed open stream: http request failed! http/1.0 400 bad request if use above code in simple procedure works fine not in function. note: have tried curl_init()... method produced same result? instead of encoding whole url encode address part. following code work fine $add='jamshoro phase 2'; $url="http://maps.googleapis.com/maps/api/geocode/json?address=".urlencode($add); $json = file_get_contents($url); $data = json_decode($json, true); print_r($data['r
Read more

java - How to filter a backspace keyboard input -

i have code gives message when key number pressed: txtvalueofclause.addeventfilter(keyevent.key_typed, new eventhandler<keyevent>() { @override public void handle(keyevent t) { char ar[] = t.getcharacter().tochararray(); char ch = ar[t.getcharacter().tochararray().length - 1]; if (!(ch >= '0' && ch <= '9')) { system.out.println("the char entered not number"); t.consume(); } } }); now if press on wrong button , press backspace remove it, error message. how can add backspace input if statement? i have found answer: txtvalueofclause.addeventfilter(keyevent.key_typed, new eventhandler<keyevent>() { @override public void handle(keyevent t) { char ar[] = t.getcharacter().tochararray(); char ch = ar[t.getcharacter().tochar
Read more

java - Show Soft Keyboard when EditText Appears -

i have code in android app, alert dialog , keyboard, , when dialog shown want keyboard appear. not , not sure why? here code: final alertdialog.builder alert = new alertdialog.builder(this); alert.settitle("title"); alert.setmessage("message"); final edittext input = new edittext(this); input.setinputtype(inputtype.type_class_number); alert.setview(input); input.setonfocuschangelistener(new view.onfocuschangelistener() { @override public void onfocuschange(view v, boolean hasfocus) { if (hasfocus) { log.i(tag, "in focus"); inputmethodmanager inputmethodmanager = (inputmethodmanager) getsystemservice(context.input_method_service); inputmethodmanager.showsoftinput(input, inputmethodmanager.show_implicit); } } }); but keyboard not appear though edit text in focus, , tell appear why, doesn't come up? thanks in advance.
Read more