canmove, Confirmed users
2,850
edits
Litmus:DevelopersNotes: Difference between revisions
Jump to navigation
Jump to search
no edit summary
ChrisCooper (talk | contribs) No edit summary |
ChrisCooper (talk | contribs) No edit summary |
||
| Line 7: | Line 7: | ||
=== The Model - Class::DBI === | === The Model - Class::DBI === | ||
Since writing SQL by hand is a pain, Litmus uses [http://search.cpan.org/~tmtm/Class-DBI-0.96/lib/Class/DBI.pm Class::DBI] to talk to the database. The schema is contained in a set of perl modules found in litmus/Litmus/DB, and the cgi scripts and templates interact with the database using these modules. When it is | Since writing SQL by hand is a pain, Litmus uses [http://search.cpan.org/~tmtm/Class-DBI-0.96/lib/Class/DBI.pm Class::DBI] to talk to the database. The schema is contained in a set of perl modules found in litmus/Litmus/DB, and the cgi scripts and templates interact with the database using these modules. When it is necessary to write more complex database queries (or where queries have been tuned manually and in-lined for performance reasons), Class::DBI provides several methods to allow for manual SQL queries. Additional subroutines in the Litmus::DB::* modules handle these needs. It's worth taking a quick look through the [http://search.cpan.org/~tmtm/Class-DBI-0.96/lib/Class/DBI.pm Class::DBI documentation], or looking at some of the Litmus code that uses it, for a quick overview. | ||
=== The View - Template Toolkit === | === The View - Template Toolkit === | ||
| Line 17: | Line 17: | ||
One important note: to prevent cross-site scripting attacks, it's important that any information coming from the database be "filtered," such that any HTML tags are properly escaped. To do this, just use the FILTER command when mentioning a template variable. In other words, the example above should really be written as <code>[% test.testid FILTER html %]</code>. Other filters exist for more specialized situations, such as "js" and "testdata" (which allows only a specific list of html tags that are allowed to appear in testcases). When in doubt, filter it. | One important note: to prevent cross-site scripting attacks, it's important that any information coming from the database be "filtered," such that any HTML tags are properly escaped. To do this, just use the FILTER command when mentioning a template variable. In other words, the example above should really be written as <code>[% test.testid FILTER html %]</code>. Other filters exist for more specialized situations, such as "js" and "testdata" (which allows only a specific list of html tags that are allowed to appear in testcases). When in doubt, filter it. | ||
== Limitations == | |||
* Class::DBI doesn't allow you much flexibility with your SQL, making it hard to improve DB performance by simply tweaking queries. In Litmus, we've resorted to sub-classing and have some custom SQL outside of the Class::DBI object framework. Maintaining these two approaches in one application is not ideal. | |||
* Class::DBI doesn't handle pure join tables very well (see above). | |||
* templates are cached, but much of the information to fill pages is looked up on-the-fly with little/no caching. See {{bug|419688}} for more information. | |||
== Where to find stuff == | == Where to find stuff == | ||