librelist archives

« back to archive

Flask/Python/Security

Flask/Python/Security

From:
ajay menon
Date:
2012-06-07 @ 05:58
Hello
I am reading about Flask and web implementation. Would like to
understand your view on developing a large scale web application that
will take private personal information. Is Flask, Python and Sqlite3
right way to go about?

am

Re: [flask] Flask/Python/Security

From:
Joël Cox
Date:
2012-06-07 @ 06:43
Hi Ajay,

Python and Flask are a good combination for these kind of applications. 
You might wanna look into Flask's Blueprints[0], which can help you 
structure bigger applications. Also remember that Flask is pretty light 
weight so there are quite some things you will have to take care of 
yourself, like authentication, form validation and database access. 
However, there are plenty of good extensions[1][2][3] you can use so you 
don't have to reinvent the wheel.

As for SQLite, I wouldn't recommend using it if you expect the least of 
load on your application. SQLite was designed as a single-user database, 
so every transaction will put a lock on your entire database file, which 
prevents other users from accessing your database at all. You will be much
better off with something like PostgreSQL, unless you expect very minimal 
traffic.

Joël

[0] http://flask.pocoo.org/docs/blueprints/ 
[1] http://packages.python.org/Flask-Login/
[2] http://packages.python.org/Flask-WTF/
[3] http://packages.python.org/Flask-SQLAlchemy/

On Jun 7, 2012, at 7:58 AM, ajay menon wrote:

> Hello
> I am reading about Flask and web implementation. Would like to
> understand your view on developing a large scale web application that
> will take private personal information. Is Flask, Python and Sqlite3
> right way to go about?
> 
> am
> 

Re: [flask] Flask/Python/Security

From:
ajay menon
Date:
2012-06-07 @ 07:45
Thank you Joël, appreciate your detailed explanation.

am

On Jun 7, 2012, at 3:46 PM, "Joël Cox" <joel@joelcox.nl> wrote:

Hi Ajay,

Python and Flask are a good combination for these kind of applications. You
might wanna look into Flask's Blueprints[0], which can help you structure
bigger applications. Also remember that Flask is pretty light weight so
there are quite some things you will have to take care of yourself, like
authentication, form validation and database access. However, there are
plenty of good extensions[1][2][3] you can use so you don't have to
reinvent the wheel.

As for SQLite, I wouldn't recommend using it if you expect the least of
load on your application. SQLite was designed as a single-user database, so
every transaction will put a lock on your entire database file, which
prevents other users from accessing your database at all. You will be much
better off with something like PostgreSQL, unless you expect *very* minimal
traffic.

Joël

[0] http://flask.pocoo.org/docs/blueprints/
[1] http://packages.python.org/Flask-Login/
[2] http://packages.python.org/Flask-WTF/
[3] http://packages.python.org/Flask-SQLAlchemy/

On Jun 7, 2012, at 7:58 AM, ajay menon wrote:

Hello
I am reading about Flask and web implementation. Would like to
understand your view on developing a large scale web application that
will take private personal information. Is Flask, Python and Sqlite3
right way to go about?

am

Re: [flask] Flask/Python/Security

From:
kracethekingmaker
Date:
2012-06-07 @ 13:26
SQLite is not at all right way to go.
> Hello
> I am reading about Flask and web implementation. Would like to
> understand your view on developing a large scale web application that
> will take private personal information. Is Flask, Python and Sqlite3
> right way to go about?
>
> am


-- 
"Talk is cheap, show me the code" -- Linus Torvalds
Regards
Kracekumar.R
www.kracekumar.com

Re: [flask] Flask/Python/Security

From:
Simon Sapin
Date:
2012-06-07 @ 13:56
Le 07/06/2012 15:26, kracethekingmaker a écrit :
> SQLite is not at all right way to go.

Why not? SQLite is perfectly fine (and zero maintenance) until you start 
having big-ish traffic. I have been running a dozen SQLite-based web 
sites for many years; only once every few months I get a "database is 
locked" message. (I get an email for each exception.)

It all depends on what you mean by "large scale" if you’re only at the 
"idea" stage, SQLite will have no problem for quite a while.

Also, as Pronoy said, you can start with SQLite and switch to PostgreSQL 
(or other) later when it is needed. If you don’t write SQL queries 
directly but instead use an ORM like SQLAlchemy (or SQLSoup if you don’t 
like ORMs) the switch should be completely transparent.

Regards,
-- 
Simon Sapin

Re: [flask] Flask/Python/Security

From:
kracethekingmaker
Date:
2012-06-07 @ 14:09
How will you save datetime object in sqlite3? you need to tweak default 
settings, i would like to use MySQL or Postgres for testing as well, 
since all the errors from testing wont propagate to dev to prod .
> Le 07/06/2012 15:26, kracethekingmaker a écrit :
>> SQLite is not at all right way to go.
> Why not? SQLite is perfectly fine (and zero maintenance) until you start
> having big-ish traffic. I have been running a dozen SQLite-based web
> sites for many years; only once every few months I get a "database is
> locked" message. (I get an email for each exception.)
>
> It all depends on what you mean by "large scale" if you’re only at the
> "idea" stage, SQLite will have no problem for quite a while.
>
> Also, as Pronoy said, you can start with SQLite and switch to PostgreSQL
> (or other) later when it is needed. If you don’t write SQL queries
> directly but instead use an ORM like SQLAlchemy (or SQLSoup if you don’t
> like ORMs) the switch should be completely transparent.
>
> Regards,


-- 
"Talk is cheap, show me the code" -- Linus Torvalds
Regards
Kracekumar.R
www.kracekumar.com

Re: [flask] Flask/Python/Security

From:
pronoyc@gmail.com
Date:
2012-06-07 @ 14:27
>
> How will you save datetime object in sqlite3? you need to tweak default
> settings, i would like to use MySQL or Postgres for testing as well,
> since all the errors from testing wont propagate to dev to prod .


You don't need to worry about that :) Check this out. SQLAlchemy does that
for you.
http://packages.python.org/Flask-SQLAlchemy/quickstart.html#simple-relationships

-- 
Regards,

Pronoy Chopra
http://blog.pronoy.in <http://www.pronoy.in/about>/
http://www.twitter.com/pronoyc

Re: [flask] Flask/Python/Security

From:
kracethekingmaker
Date:
2012-06-07 @ 14:37
try this out

details.start_datetime.replace(tzinfo=pytz.timezone('Asia/Kolkatta'))

store to sqlite db and retrieve back and try
details.start_datetime.strftime("%Z")

If I am not wrong in Postgres and MongoDB is store python native 
datetime objects. Well you can create a timezone entry for each user in 
separate table


>     How will you save datetime object in sqlite3? you need to tweak
>     default
>     settings, i would like to use MySQL or Postgres for testing as well,
>     since all the errors from testing wont propagate to dev to prod .
>
>
> You don't need to worry about that :) Check this out. SQLAlchemy does 
> that for you.
> http://packages.python.org/Flask-SQLAlchemy/quickstart.html#simple-relationships
> -- 
> Regards,
>
> Pronoy Chopra
> http://blog.pronoy.in <http://www.pronoy.in/about>/
> http://www.twitter.com/pronoyc
>


-- 
"Talk is cheap, show me the code" -- Linus Torvalds
Regards
Kracekumar.R
www.kracekumar.com

Re: [flask] Flask/Python/Security

From:
pronoyc@gmail.com
Date:
2012-06-07 @ 14:42
Exactly as I said, don't use raw SQLite use ORM. No need to reinvent the
wheel when such a fantastic layer is provided.

 try this out
>
> details.start_datetime.replace(tzinfo=pytz.timezone('Asia/Kolkatta'))
>
> store to sqlite db and retrieve back and try
> details.start_datetime.strftime("%Z")
>
> If I am not wrong in Postgres and MongoDB is store python native datetime
> objects. Well you can create a timezone entry for each user in separate
> table
>

I don't know about PostgreSQL but yes Mongo does do that. You can store any
type of object in MongoDB. It supports creation of custom fields.
-- 
Regards,

Pronoy Chopra
http://blog.pronoy.in <http://www.pronoy.in/about>/
http://www.twitter.com/pronoyc

Re: [flask] Flask/Python/Security

From:
kracethekingmaker
Date:
2012-06-07 @ 14:47
well here details is a SQLAlchemy model and not raw sql query. If 
SQLite3 works probably carry one.
> Exactly as I said, don't use raw SQLite use ORM. No need to reinvent 
> the wheel when such a fantastic layer is provided.
>
>     try this out
>
>     details.start_datetime.replace(tzinfo=pytz.timezone('Asia/Kolkatta'))
>
>     store to sqlite db and retrieve back and try
>     details.start_datetime.strftime("%Z")
>
>     If I am not wrong in Postgres and MongoDB is store python native
>     datetime objects. Well you can create a timezone entry for each
>     user in separate table
>
>
> I don't know about PostgreSQL but yes Mongo does do that. You can 
> store any type of object in MongoDB. It supports creation of custom 
> fields.
> -- 
> Regards,
>
> Pronoy Chopra
> http://blog.pronoy.in <http://www.pronoy.in/about>/
> http://www.twitter.com/pronoyc
>


-- 
"Talk is cheap, show me the code" -- Linus Torvalds
Regards
Kracekumar.R
www.kracekumar.com

Re: [flask] Flask/Python/Security

From:
Audrius Kažukauskas
Date:
2012-06-07 @ 14:58
On Thu, 2012-06-07 at 20:07:15 +0530, kracethekingmaker wrote:
> try this out
> 
> details.start_datetime.replace(tzinfo=pytz.timezone('Asia/Kolkatta'))
> 
> store to sqlite db and retrieve back and try
> details.start_datetime.strftime("%Z")

I would advise storing time in database and processing it in your app in
UTC timezone.  Only when you need to display time in user's chosen
timezone, then you should apply it.  This will save you from daylight
saving time related and other headaches.

http://www.enricozini.org/2009/debian/using-python-datetime/
http://lucumr.pocoo.org/2011/7/15/eppur-si-muove/

> If I am not wrong in Postgres and MongoDB is store python native
> datetime objects. Well you can create a timezone entry for each user
> in separate table

PostgreSQL (and MongoDB, though I don't know for sure, as I haven't used
it) has native datetime types which can store timezone as well.  In
SQLite one needs to store time as strings (that's what SQLAlchemy does
for you).  Still, it's better to store timezones separately as user
settings.

-- 
Audrius Kažukauskas
http://neutrino.lt/

Re: [flask] Flask/Python/Security

From:
kracethekingmaker
Date:
2012-06-07 @ 15:14
Inline replies !!
> On Thu, 2012-06-07 at 20:07:15 +0530, kracethekingmaker wrote:
>> try this out
>>
>> details.start_datetime.replace(tzinfo=pytz.timezone('Asia/Kolkatta'))
>>
>> store to sqlite db and retrieve back and try
>> details.start_datetime.strftime("%Z")
> I would advise storing time in database and processing it in your app in
> UTC timezone.  Only when you need to display time in user's chosen
> timezone, then you should apply it.  This will save you from daylight
> saving time related and other headaches.
Well agreed, this was different usecase and my intention was to explain 
the limitation of sqlite.
> http://www.enricozini.org/2009/debian/using-python-datetime/
> http://lucumr.pocoo.org/2011/7/15/eppur-si-muove/
>
>> If I am not wrong in Postgres and MongoDB is store python native
>> datetime objects. Well you can create a timezone entry for each user
>> in separate table
> PostgreSQL (and MongoDB, though I don't know for sure, as I haven't used
> it) has native datetime types which can store timezone as well.  In
> SQLite one needs to store time as strings (that's what SQLAlchemy does
> for you).  Still, it's better to store timezones separately as user
> settings.
>


-- 
"Talk is cheap, show me the code" -- Linus Torvalds
Regards
Kracekumar.R
www.kracekumar.com

Re: [flask] Flask/Python/Security

From:
pronoyc@gmail.com
Date:
2012-06-07 @ 13:31
Well actually, you could go for a DAL like SQLAlchemy. If you use a DAL the
engine (sqlite3) doesn't really matter. As far as private information is
concerned you need to make sure your application is secure. You can check
out various extensions in the extension registry and use things like blue
prints, application factory etc.
Hope that helps


> SQLite is not at all right way to go.
> > Hello
> > I am reading about Flask and web implementation. Would like to
> > understand your view on developing a large scale web application that
> > will take private personal information. Is Flask, Python and Sqlite3
> > right way to go about?
>

-- 
Regards,

Pronoy Chopra
http://blog.pronoy.in <http://www.pronoy.in/about>/
http://www.twitter.com/pronoyc