Combat. Net data Access Layer-19

Access to | data 6. ASPECT

AOP (Aspect oriented programming) may have been unearthed in recent years

One of the most powerful technologies to come, the author does not intend to spend any time here to introduce it (online information has been a dime), just want to borrow its aspect concept to illustrate several design data Access Layer must be considered when the problem (also in the system architecture design to be considered before several important factors!) ）：

(1) Security

Put it in the aspect first believe that there is no doubt about it!



Although, Business logic has done for us too many security Issues, but that long lingering "connectionstring shadow" or will become a lot of developers in the heart Forever "bad"!



One of my colleagues told me that Microsoft had a asp.net application that was known to be hard to break down, and that ConnectionString actually existed in registry (don't forget to disable Remote Registry service)! Such double protection (the other is to encrypt the ConnectionString) is how simple but practical ah!

In many cases, as simple as possible is the goal we should really pursue.



Another issue to note is how to respond to SQL injection (SQL injection) attacks!

A classic example is as follows:

String strSQL = "SELECT * from user where" +

"username = '" + strUserName +

"' and password = '" + strpassword;



In this case, the dynamic SQL itself does not have a logic problem on the call, but it gives the cracker the opportunity to: if the system does not have any data validation against strpassword, when the user tries to enter "ABC" as username, "123 ' or 1 = 1" As a password, you have to regret to tell you that the system has been successfully breached, please quickly release the new patch!

While this example is simple, it reminds us that small SQL statements can also be an "important source" of system vulnerabilities!



In this case, the way to avoid a crisis is simple: use stored procedure or parameter Collection (you won't tell me that I'm ready to push this responsibility to business logic personnel with no SQL experience). If the system architecture is not ready to adopt stored procedure or developers are not accustomed to using parameter Collection (frankly, I do not like this stuff), there is a slightly more trouble solution (of course not recommended):

I. Use only username to assemble dynamic SQL;

II. Determine whether the number of return records is 1 (assuming username is a unique column);

III. If the record number is 1, remove the password data;

Iv. determine whether the password of the user input matches the password returned by the query.



Limited to space, here are only two more common issues, of course, it is far from covering the full essence of security, but to show a point of view: security is very very important, do not be taken lightly!



(2) Transaction

This is a refuge from the east, to find its problems have a certain degree of difficulty, and not easy to test! The author is not ready to start this, we can only experience through the actual combat accumulation.

In addition, in the end is the use of system.enterpriseservices or Connection.begintransaction + Try-catch, will still make a lot. NET developers confused, as part of the system architecture design, this is a must fully consider the issue!



(3) Logging

A log is not a question of what to do, but a question of how to do it.

Log4net has been very good, do not want to do a do-it-yourself!



(4) Exception

This is a "bottomless pit", see how you design.

There are two main approaches to the project that the author experiences:

I. One throw,one catch,no re-throw

This is the simplest, do not need too complex exception inheritance hierarchy, processing is also relatively easy;

Ii. One Throw,multi-catch,multi-re-throw

Complex applications may use this pattern more, require a lot of exception classes and the Try-catch, but may be in the scalability and fault-tolerant processing will be more outstanding (but it is hard for US developers L)!



Temporarily think of these, if there is anything missing, welcome to add.



Next paragraph: http://www.csdn.net/develop/Read_Article.asp?id=27564