Re: FN-FORUM: PHP PostData security

date posted 29th May 2007 13:50

> Wrong. MVC facilitates security in depth, something that is not easy to
> achieve in a monolithic model.

Which aspect of the MVC pattern protects against SQL injection, and which
aspect stops cross-site scripting?

Perhaps we're using the term "MVC" in different ways? I understand it to
mean "the MVC software design pattern", and that pattern does not mention
anything about website security (in fact the pattern was designed for
desktop applications, well before web sites started using it).

Put another way, I can easily write an MVC web application that is open to
SQL injection, cross-site scripting attacks, etc.

Particular web application frameworks, that happen to be a little
MVC-like, might well include the necessary filtering and escaping
required, but that's a feature of the framework, not MVC.

Anthony
--
www.fonant.com - Quality web sites