In a bit of a pickle here :)
John E. Barham
jbarham at jbarham.com
Tue Nov 25 15:24:48 EST 2003
Larry goodman wrote:
> Hi, Im an old C++ salt who is doing his first large project using
> python/wxPython. Fantastically productive are python and wxWindows.
> If you could bear with me, I have a couple of questions for people who
> have implemented python projects with similar characterstics. I'm
> building a client/server app where the client is a windows or linux
> desktop and the back end is pyhton middleware (im going to write)
> running on linux with a postgres SQL back end.
>
> I started out using the typical client/server approach starting with
> my data model. The more i've used python, the more i've gotten to
> think I really dont need a relational data model at all.
> ...
> I have one other question about the pickle system. If I add new
> attributes to an object and try to unpickle an old version will it
> work? How do you handle versioning of objects with pickle?
If you don't need a relational model, why not consider ZODB/ZEO
(http://zope.org/Wikis/ZODB/FrontPage)? It's the distributed Python object
database that underlies Zope. I've used it successfully for a similar
project. ZODB has transactions/versioning, but client-server syncing is a
trickier, application specific issue.
> My last questions involve using sockets as a transport. If I use
> python to exchange data via sockets on the server, will my server be
> susceptible to buffer overflow attacks? Because I may need to support
> handhelds with no SSL capability, I may need to expose a socket to the
> internet unsecured. Any idea what the best approach would be to
> keeping the bad people out in this instance? How should I secure my
> middleware if I cannot support SSL?
Python's strings will protect you from buffer-overflow attacks caused by
sloppy C code reading data into fixed-length buffers, but even then you have
to account for potentially malicious clients sending, for example, megabytes
of data. If you want to limit message sizes, use self-delimiting netstrings
(http://cr.yp.to/proto/netstrings.txt).
It should be easy enough to encrypt your sessions (thus allowing for secure
authentication) by using something like AES. If you control the server and
the clients, SSL is overkill anyway.
HTH,
John
More information about the Python-list
mailing list