Rechercher

Article
· Sept 22, 2024 5m de lecture
Open Exchange

Database Management Tool

#Angular #Docker #Java #JavaScript #JDBC #REST API #InterSystems IRIS

Introduction

Managing databases and performing CRUD operations are fundamental tasks for developers building data-driven applications. While many database management systems (DBMS) exist, they can be complex and cumbersome to interact with, especially when it comes to creating databases and tables, handling constraints, and performing real-time data operations through an API.

This web-based Database Management Tool simplifies the entire process, offering an intuitive UI for managing databases and tables, alongside a powerful REST API for interacting with the data. Whether you’re a developer building a backend for your app or a data engineer needing to manage multiple databases efficiently, this tool provides a seamless and easy-to-use interface to create, update, and delete databases and tables. Additionally, it supports secure access via JWT tokens, ensuring that all data operations are performed safely.

The frontend is built with Angular 17 to provide a dynamic and responsive user experience, while the backend uses Java 21 with Spring Boot 3, ensuring high performance and scalability. The tool leverages InterSystems IRIS as the main database and Redis for caching, making data management both efficient and fast.

In this article, we will dive deep into the features of the tool and walk you through how to work with it, from setting up databases to utilizing the API for CRUD operations.

Creating Your First Database

Before you can start managing databases and tables, you'll need to create an account or log in with an existing one. This step ensures secure access to the system and enables you to manage your databases privately.

Once you are logged in, the main dashboard will give you access to all database management features. To create your first database, follow these steps:

  • Click on "Create New Database": This will open a form where you can enter the database details.
  • Enter the Database Name: Provide a unique name for your database. This name will be used to identify and manage the database.
  • Select Token Lifetime: Every database you create generates a special API token that allows you to interact with the database’s tables via REST API. You’ll need to select a lifetime for this token, choosing from one of the following options: day, week, month, year.

Creating a Table for Your Database

Once you've created your first database, the next step is to define the structure of your data by creating tables. Each table holds the data for your database, and you can customize the columns and constraints to fit your needs.

Open the Database

To start, navigate to the list of databases on your dashboard. Find the database in which you want to create a new table and click on it. This will open up the details page for the selected database.  

Create a New Table: 

  1. Click on "Create Table": Inside the database details page, you’ll see a "Create Table" button. Clicking this will open a new form where you can define your table.
  2. Enter the Table Name: In the form, provide a unique and descriptive name for your table. This name will be used to reference the table in both the UI and API.
  3. Define Table Columns: Click "Add Column": Each table consists of multiple columns, and you can add as many as needed for your data. For each column:
    1. Enter a Column Name: This will be the identifier for the column within the table.
    2. Select a Column Type: Choose from a variety of data types (e.g., String, Integer, Date, etc.) to match the kind of data that column will hold.
    3. Add Constraints: You can apply constraints such as NOT NULL, UNIQUE, or PRIMARY KEY to enforce rules on the column data.
  4. Submit the Table: Once you’ve added all your columns and set the appropriate constraints, click the "Submit" button to finalize the table creation. The new table will now appear in the list of tables for the database, ready for data entry or API operations.  

Using the API to Interact with Your Table

After creating your tables, you can start working with your data through the API, which allows you to perform CRUD (Create, Read, Update, Delete) operations on the tables. Each database has its own unique API token, which you will use to authenticate your requests to that specific database.

Access API Request Examples

Once your table is created, navigate to the Table Information Page by selecting the table from the list of tables within your database. On this page, you will find examples of the API requests you can make to interact with the table, including: get by field, get all, create, update, delete.  

Retrieve the Database API Token

To perform API operations on your table, you need to authenticate your requests with a special API token that was generated when you created the database. Here’s how to get the token:

  1. Navigate to the Database Information Page: Go back to the page for the database that contains your table.
  2. Copy the API Token: You’ll see a section with the token information. Copy this token, as it will be needed in the headers of every request you make to the API for that database.

Making a "Create" Request

Now that you have the token and have reviewed the API examples, let's add some records to your new table.

  1. Find the "Create" Request: On the Table Information Page, locate the "Create" request example. This will include the API endpoint URL and an example of the request body.     
  2. Send the Request: Using an API client (such as Postman, cURL, or any other tool), send your POST request to the API. The server will process the request and add the new record to the table.    

Getting All Records from the Table

Now that we’ve added some data to our table, let’s retrieve all the records to verify that our entries were saved correctly. The process for retrieving data is similar to creating records, but we’ll use a different API endpoint.      

Conclusion

That’s all for now! In this article, I’ve walked you through the main functionalities of this database management tool: from creating databases and tables, to performing basic CRUD operations through the REST API. However, this is just the beginning of what the application can do.

There are a variety of other features that make the tool powerful and versatile, such as:

  • Creating, updating, and deleting databases: Manage multiple databases effortlessly.
  • Customizing tables and columns: Add, modify, or remove columns, with support for various data types and constraints.
  • Extensive API access: Beyond simple CRUD operations, you can fully manage your database structures programmatically.

This tool aims to streamline database management, making it easy to organize your data and access it securely through the API. As development continues, more advanced features like custom queries, enhanced constraints, and additional column types will be added, expanding its possibilities even further.

Thank you for exploring this tool!

4 Comments
Discussion (4)2
Connectez-vous ou inscrivez-vous pour continuer
Article
· Sept 21, 2024 4m de lecture

Injection SQL - une menace vaincue ?

#SQL #Sécurité #InterSystems IRIS

Selon le rapport OWASP Top Ten de 2021, un document de référence reconnu dans le domaine de la sécurité des applications web, les injections SQL arrivent en troisième position des risques les plus critiques. Ce rapport, disponible sur OWASP Top 10: Injection, souligne la gravité de cette menace et la nécessité de mettre en place des mesures de protection efficaces.

Une injection SQL se produit lorsqu'un attaquant malveillant parvient à insérer du code SQL non autorisé dans une requête envoyée à une base de données. Ce code, dissimulé au sein des entrées utilisateur, peut alors être exécuté par la base de données, provoquant des actions indésirables comme le vol de données confidentielles, la modification ou la suppression d'informations sensibles, ou encore la perturbation du fonctionnement de l'application.

Que doit-on rechercher pour empêcher l’injection SQL ?

Une application est vulnérable aux attaques lorsque :

  • Les données fournies par l'utilisateur ne sont pas validées, filtrées ou nettoyées par l'application.
  • Les requêtes dynamiques ou les appels non paramétrés sans échappement sensible au contexte sont utilisés directement dans l'interpréteur.
  • Les données hostiles sont utilisées dans les paramètres de recherche de mappage objet-relationnel (ORM) pour extraire des enregistrements supplémentaires et sensibles.
  • Les données hostiles sont directement utilisées ou concaténées. Le SQL ou la commande contient la structure et les données malveillantes dans les requêtes dynamiques, les commandes ou les procédures stockées.

Les injections les plus courantes sont SQL, NoSQL, commande OS, mappage objet-relationnel (ORM), LDAP et Expression Language (EL) ou Object Graph Navigation Library (OGNL). Le concept est identique pour tous les interpréteurs.

Avant de plonger dans les techniques de prévention, il est crucial de comprendre comment les injections SQL fonctionnent.

Les attaquants peuvent exploiter des entrées utilisateur non validées pour injecter du code SQL malveillant dans une requête. Par exemple, si un utilisateur peut saisir une valeur dans un champ de recherche et que cette valeur est directement insérée dans une requête SQL sans validation (par exemple, set query = "SELECT * FROM Company.Accounts WHERE custID="_custID), un attaquant pourrait entrer une chaîne de caractères comme "1 union select * from Company.Accounts pour obtenir des détails sur tous les comptes.

Heureusement, InterSystems IRIS fournit plusieurs mécanismes pour prévenir les injections SQL :

  • Utilisation de paramètres préparés. Les paramètres préparés sont l'une des méthodes les plus efficaces pour prévenir les injections SQL. Ils séparent la structure de la requête des valeurs d'entrée, empêchant les attaquants d'injecter du code SQL malveillant. Par example le code 
 SET statement = ##class(%SQL.Statement).%New()
 DO statement.%Prepare("SELECT * FROM Library.Book where ID = ?")
 SET rs = statement.%Execute("3 union select * from library.Book")
 DO rs.%Display()

ne retournera rien.

Tandis que

 SET statement = ##class(%SQL.Statement).%New()
 DO statement.%Prepare("SELECT * FROM Library.Book where ID = ?")
 SET rs = statement.%Execute("3")
 DO rs.%Display()

retournera l'info :

  • Validation des entrées utilisateur. Valider les entrées utilisateur avant de les insérer dans des requêtes SQL est une autre mesure importante de prévention. Utilisez des expressions régulières ou des fonctions de validation appropriées pour vérifier la validité des données. Par exemple, si on utilise le code postal comme paramètre de la requête, on doit vérifier qu'il ne contient que des caractères numériques et qu'il comporte 5 caractères en general:
 SET statement = ##class(%SQL.Statement).%New()
 DO statement.%Prepare("SELECT * FROM Post.Address WHERE ZIP = ?")
 READ "Enter ZIP code: ", zip
 if zip?5N {
    SET rs = statement.%Execute(zip)
    DO rs.%Display()
    }

Ce code retournera

  • Utilisation de patterns dans les descriptions de class. Il est proche du point précédent, mais permet de vérifier l'entrée lors de l'ajout de nouvelles instances.
  • Filtrage des caractères spéciaux
    • Filtrer les caractères spéciaux qui peuvent être utilisés pour injecter du code SQL peut également aider à prévenir les attaques. Utilisez des fonctions de filtrage appropriées pour supprimer ou échapper aux caractères potentiellement dangereux.
  • Utilisation de procédures stockées
    • Les procédures stockées sont des objets de base de données qui encapsulent un ensemble d'instructions SQL. En utilisant des procédures stockées, vous pouvez centraliser la logique de votre application et réduire le risque d'injections SQL.
  • Mise à jour régulière des composants logiciels
    • Assurez-vous de mettre à jour régulièrement InterSystems IRIS et les composants logiciels connexes pour bénéficier des derniers correctifs de sécurité.

Pour conclure, les injections SQL sont une menace sérieuse pour la sécurité des applications Web. En suivant les méthodes de prévention décrites dans cet article, vous pouvez réduire considérablement le risque d'attaques d'injection SQL dans vos applications InterSystems IRIS. Il est important de combiner plusieurs techniques de prévention pour obtenir une protection maximale.

Discussion (0)2
Connectez-vous ou inscrivez-vous pour continuer
Question
· Sept 21, 2024

fileName in an FTP out

#Ensemble

Hi All ,

I would like to add session ID to the fileName in an FTP out pass thru business operation.
How can I do that ?

<Setting Target="Host" Name="Filename">SessionID_%f_%Q.txt</Setting>

2 Comments
Discussion (2)3
Connectez-vous ou inscrivez-vous pour continuer
Article
· Sept 21, 2024 3m de lecture
Open Exchange

Development Tools for Visibility into IRIS CCDA to SDA Transformation

#Environnement de développement #REST API #Test #Conseils et astuces #Outils #XML #HealthShare #InterSystems IRIS #InterSystems IRIS for Health #Open Exchange

There are many applications for working with HL7 V2 messages, but the tools for working with XML in IRIS Management Portal and Cache Studio are limited. While plenty of external utilities and IDEs work with XML messages and even C-CDA documents, there is a compelling case for being able to test directly against the IRIS C-CDA framework. 

Testing within the IRIS environment provides the necessary context: 

  • XML parser configuration
  • XML namespace context
  • Facility and OID setup
  • IHE header handling
  • The HS.IHE.Util, HS.Util.XSLTTransformer, and %XML.XSLT.Transformer packages
  • Leveraging the XSL codebase in /csp/xslt

The CCD DevTools package provides an API that exposes basic XSL and XPath capabilities from within IRIS. A simple UI facilitates common C-CDA developer tasks such as XPath evaluation and modification of the source document for iterative testing cycles. Execution occurs within IRIS in order to leverage the environment, while the UI allows visibility, repeatability, and the ability to isolate modifications and modules for testing.

Getting Started: 

  1. The CCD DevTools solution is available on the Open Exchange: CCD DevTools
  2. Once installed, the UI runs in a Docker container. Follow the instructions in the README to build and start docker. 
  3. Open the UI at: http://localhost:4000  
  4. Sample CCDs are included in the testing folder: iris-ccd-devtools/testing/sample_data

Home Page:

XPath Evaluator

  • A set of pre-configured XPaths provides the expected format for CCD XPaths in IRIS.
  • Additional XPath values can be pasted and edited
  • A source document can be loaded from a local file or pasted into the window
  • Manual modifications can be made to the source document for re-testing.


The “Viewer” button toggles between a pretty-print, collapsible view of the document and the raw text view. The text view is editable. 


CCDA to SDA Transforms

This window allows the user to select one of the standard IRIS base XSL transforms and apply it to the input document. The output contains the SDA output. 

Modifications can be made to the input document and re-submitted to evaluate how changes affect the output.


 

The Viewer button can be used on Input and Output for better visibility.

 

XSL Template Tester

Building C-CDA to SDA transform typically involves writing modular XSL templates that act on a specific XPath or section of the source document. The purpose of the XSL Template tester is to allow the developer to type or paste the contents of a template into the test window and apply it to a source document. 

The template is evaluated along with the identity template so that only the targeted location will be modified. 


With improved visibility into the input and output documents and the ability to make small modifications and retest, the CCD DevTools UI aims to speed up the build/unit test cycle for CCD transformations as well as lower the learning curve for developers to pick up domain knowledge and familiarity with working with C-CDA and SDA formats in IRIS. 

Have you worked with CCDs? What tools have you used? What future modifications or additions might make this tool more effective for your use cases? 

We’d love to hear any feedback!

7 Comments
Discussion (7)3
Connectez-vous ou inscrivez-vous pour continuer
Annonce
· Sept 20, 2024

[Video] Deployment Considerations for Your AI Solution

#Artificial Intelligence (AI) #Global Summit 2024 #Vidéo #Summit #InterSystems IRIS

Hi Community,

Play the new video on InterSystems Developers YouTube:

⏯ Deployment Considerations for Your AI Solution @ Global Summit 2024

AI is becoming increasingly critical to applications, but there often isn't enough discussion on maximizing its function and value. In this video, the presenter will explore how to ensure that this key component of the solution is available, performant, and resilient. Is it "just InterSystems IRIS" or are there more things to consider?   

🗣 Presenter: @Ray Wright, Principal Technology Architect, InterSystems  

Enjoy watching, and look out for more videos! 👍

Discussion (0)1
Connectez-vous ou inscrivez-vous pour continuer