[Zope] ZOracleDA
Nemeth Miklos
nemeth@iqsoft.hu
Fri, 14 Jan 2000 23:14:28 +0100
I am stress-testing ZOracleDA, and found it almost perfect for large web
applications:
it supports multi-threaded access and a kind of connection pooling, and
quite reliable.
However, there are two points, which makes me a bit anxious:
(1) Doug Hellman mentioned that ZOracleDA does not stop long running
requests when the user cancels the HTTP request. Is it possible for a
malicious cracker to conduct a denial-of-service attack exploiting this
behaviour?
I think this is not a ZOracleDA specific problem, but a general issue
with Oracle. Do other technologies (PHP, mod_perl, etc) have a solution
for this problem? Is this a real threat?
(2) The ZSQL technology does not use bind variables, instead, literal
values are included into the SQL statemets. This may be a big problem
for Oracle. Oracle has a very primitive mechanism to determine if an SQL
statement be parsed or there is one in its cache: it simply compares the
SQL statement strings. If you use bind variables (eg. insert into
t(c1,c2) values(:bv1,:bv2)) the SQL statement string is always the same,
if you use literals (eg insert into t(c1,c2) values('xxx',512.67))
Oracle is forced to parse all SQL statements. We benchmarked this
behaviour and found the 20 - 30 % more Oracle resources are used for
this extra parsing.
Is there a way to force ZOracleDA to use binding instead of literal
substitution?
NM