PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Building a PHP Calender
Creating your own logfile
GIS Mapping with PHP; Part Two
Best Practices: PHP Coding Style
Using Get and Post Methodology in AJAX Applications

Sr. Web Developer
mediabistro.com
US-NY-New York

Post A Job | Post A Resume

Comments for: badar20040430

Message # 1020057:

Date: 05/06/04 14:47
By: Benjamin Smith Profile
Subject: Dangers of abstraction

Operating at this high level of abstraction, where, for instance, queries to the database are determined by the values passed in XML can be very, very dangerous.

If a black hat were to discover the ability to pass XML directly though malformed URLs, simulated posts, or by discovering a route directly to the content engine, it could conceivably allow full and unrestrained access to the database.

(VERY, VERY BAD!)

I've worked in highly abstract areas like this, and it's really, truly difficult to design a security scheme that covers all these possibilities - and I've rediscovered the art of simple code.

In very, VERY few cases is it really important that you can abstract out the database, particularly in any kind of custom development. (which is perhaps 80% of what I get paid to do)

So, after starting out determined to write perfect, platform-agnostic code, I've "seen the light" and now happily develop code around the exact database and environment available.

My choice is normally RedHat Linux, PHP4 and Postgres. I've yet to be led astray with this combination.

If you need to scale, there are numerous technologies you can use. You can run multiple content servers connecting to one or more replicated database servers. You can run reverse proxies.

But I've yet to see a clear case where running to XML is a particular advantage, but I've seen plenty of cases where it's used to no benefit other than to make debugging more difficult.

Neat? Yes. Useful? Kinda.

Previous Message | Next Message

Comments:
Cool but yet...	Hakan	02/16/05 09:41
And how about those fairies?	Sex Beplaced Ru	12/07/04 09:44
why stop there?	Schmell	07/14/04 21:42
What's all this about?	DaDuke	05/15/04 10:28
Dangers of abstraction	Benjamin Smith	05/06/04 14:47
plateform in devellopement phpMyOffice	Thiamat	05/05/04 06:37
If you are looking for help, please post on the appropriate forum here. Your questions will be answered much more quickly. Add A Comment: Name: Email: Subject: Message: To reduce spam posts, messages are now manually approved You are not [logged in]. That means your account will not get credit for this post.

Comments for: badar20040430

Add A Comment: