SQLpage VS ZAP

Saving further clicks:

> SQLPage is a tool that allows you to build websites using nothing more than SQL queries. You write simple text files containing SQL queries, SQLPage runs them on your database, and renders the results as a website.

The 22-line "TinyTweeter" example at 28:45 [0] in the video is a good overview - perhaps better than anything currently on the homepage/docs: https://github.com/lovasoa/SQLpage/blob/main/examples/tiny_t...

Also, based on a couple of discussions [1][2] it seems like SQLPage has the potential to combine well with HTMX too. The two projects definitely share a similar philosophy.

[0] https://youtu.be/mXdgmSdaXkg?t=1721

[1] https://github.com/lovasoa/SQLpage/issues/84#issuecomment-19...

[2] https://github.com/lovasoa/SQLpage/pull/175#issuecomment-187...

I am currently looking for a solution to run automated tests on a sql website generator I am working on ( https://sql.ophir.dev )

I wanted to use hurl (https://hurl.dev/), but Bruno's UI seems to be useful while developing the tests... Has someone tried both ? Which is better for automated testing, including when the response type is html and not json?

Full fledged BI tools like Superset and Metabase are amazing for their intended use cases.

But they may be an overkill if your primary use case is to infrequently build semi-interactive reports for non-technical end-users and your use cases are are mostly covered by standard graphs & tables. Esp. so if you are familiar with SQL and have access to the underlying data source. Two nifty utilities I have found to be very useful for latter kind of use cases are SQLPage and Evidence.

They make it very convenient to whip out some SQL and convert that to a neat professional looking web ui that can be forwarded to an end user. In case of Evidence it is a statically generated site, and in case of SQLPage it is a web app that connects to a live database.

SQLPage: https://sql.ophir.dev/

Evidence: https://evidence.dev

I feel obligated to add a shameless plug here. The idea is very close to a project I presented at pgconf.eu last week: SQLPage

https://sql.ophir.dev/

SQLPage has the same goal as postgrest+htmx, but is a little bit higher level. It let's you build your application using prepackaged components you can invoke directly from SQL, without having to write any HTML, CSS, or JS.

It would be great if someone could open a github issue with reproduction steps and maybe a screenshot: https://github.com/lovasoa/SQLpage/issues

The worst I'm able to get when manually disabling the cache and simulating a slow 3G connection is this: a blank page first, then text in the browser's font, then the text re-renders with the right font, then the icons load. The user should never see completely unstyled content.

The site uses "font-display: fallback" so this happens only on slow network connections. If the font loads fast enough, then the fallback never appears.

The official website for SQLPage (https://sql.ophir.dev/) is written in SQLPage.

The source code is here: https://github.com/lovasoa/SQLpage/tree/main/examples/offici...

The site also links to this little collaborative game written in SQLPage: https://conundrum.ophir.dev/

The github README has code snippets and associated screenshots: https://github.com/lovasoa/SQLpage#examples

There is also an official repl.it that you can fork to quickly try it online without having to download anything: https://replit.com/@pimaj62145/SQLPage

And SQLPage cloud is coming: https://sql.ophir.dev/your-first-sql-website/hosted.sql

Hey HN community!

I'll be making my first ever presentation at a large tech conference at pgconf.eu this December, where I'll be presenting the SQLPage webapp micro-framework ( https://sql.ophir.dev/ ). I'm eager to make a lasting impression and deliver a presentation that truly resonates with the audience at the conference, who probably knows more about postgres than I do.

That's where I could use your insights. What makes a good tech talk in your eyes? Do you like seeing mind-blowing demos, deep dives into code, compelling storytelling, or something else entirely ?

If you have any specific advice, tips, or ideas for structuring a tech conference presentation, I'm all ears. I want to ensure that my presentation is not just informative but also an experience to remember.

Thank you in advance for your guidance and suggestion !

When I see that, I always wonder whether this is part of the business plan of the people who distribute open source software for free, with a paid hosted version. There is some kind of a conflict of interest: the easier the software is to install and operate, the less attractive the hosted version.

I am working on an open-source software with a hosted version myself ( https://sql.ophir.dev ). It's a website builder, and I'm trying to make ease of deployment and operations a competitive advantage, which is marketed on the home page. But it may be idealistic to ask the same of others. My audience is mostly people who will have to operate the software themselves, whereas in most other domains, the people making the choice to use the software and the people who will then have to operate it are not the same.

I use ZAP [1] with the OAST add-on for this at the moment. I admit the UX isn't perfect, but it serves my purpose.

If I also want control over the responses (e.g. return a 401 status code for every fifth request), I have a custom extender script [2] for that.

[1]: https://www.zaproxy.org/

Implement tools like Burp Suite or OWASP ZAP for in-depth security scanning of your APIs.

OWASP ZAP

The use of capital punctuation implies a warning? an alert? Would this same response be warranted for Burp which is also a commercial, closed source product?

If this is an issue for some, then ZAP being open source[1] maybe favourable.

That said, Burp is the defacto tool for a reason - it's best in class. Every pentester I know, including myself, has a paid subscription. The fact that it's closed source hasn't been an issue.

[1] https://github.com/zaproxy/zaproxy

Briefly reviewed your product. Seems like OWASP ZAP is your competition: https://www.zaproxy.org/

It runs entirely in the browser so it uses the browser "native" frameworks.

Dynamic analysis involves testing your application while it's running. Tools like OWASP ZAP and Burp Suite can help identify vulnerabilities like SQL injection or Cross-Site Scripting by sending malicious requests to your application and analyzing the responses.

> Lying is not an embellishment or puffery, it's a lie. Engaging a company for a 3 day pen test that's totally insufficient, that would be an embellishment.

I agree, but if the RFP question was phrased "have you done penetration testing?" then that leaves a lot of room for embellishment. If the question is "do you have SOC2 certification?" and you answer "yes" untruthfully, then that is a lie. If they ask for the SOC2 or pentest report and you give them a falsified document, that's where you're (probably) committing fraud.

> One of the most important part of pen tests is that they are external.

AWS/Google/etc have internal security teams doing their pen tests, so no, this isn't true.

> Just doing your job as an engineer and looking for bugs is not a pen test.

What about an engineer spending an afternoon running ZAP[0]?

> It's like saying, "what is an audit really? We have accountants and they check our books for anomalies."

Yeah, which is why you don't just ask a company "do you keep track of your finances?" if you're investing in them, you request external auditors.

[0] https://www.zaproxy.org/

In addition to manual security reviews, you can also implement DevSecOps practices to automate security checks. For example, you can set up a CI/CD pipeline to run static code analysis tools like CodeQL and automatically run penetration tests using tools like OWASP ZAP.

OWASP ZAP (open source)

I would start by installing Burp Suite or OWASP Zap and seeing what the actual messages look like