Freelancers Network
 
skill list top cap
Homepage
Join the Freelancer's Network
Update your details
Find a freelancer
Post a project
Find a project
Projects Archive
Post a job
Find a job
Jobs Archive
See Dan's Pages
See Andy's Pages
Link to this site
Resources
Join/Leave Forum
Forum Messages
+Additions+ Adverts
Advertising
Contact Us
Subscribe to our newsletter - enter your email address and hit return
Freelancers.net is owned and operated by Andy Stowell and Dan Winchester
skill list end cap
guru web hostcom

Find me again on Freelancers.net

Re: FN-FORUM: PHP PostData security

date posted 29th May 2007 13:56

From: "Anthony Cartmell" [EMAIL REMOVED]
>
> > In summary, what was ultimately referred to as the MVC pattern to
> > approach (separation of logic) was to enable most developers to
> > kill web page security issues, whether by URL or form field
> > injection.
>
> MVC is another red-herring, as separting the model, view and controller
> has no intrinsic security benefits, merely maintenance and flexibility
> ones. In no way does using the MVC pattern "kill web security issues". The
> location of the logic, and the number of pages used, doesn't matter: what
> matters is filtering inputs and escaping outputs.
>
> Processing user-supplied data on the same page that it was submitted from
> is no more risky than processing it via any number of objects in any
> pattern you like. The "solution" originally referred to was "a processing
> script that put all post variables into a session and then redirected to
> the main script", which suggested that copying $_POST variables into
> $_SESSION, and then redirecting, would have some magic security benefit,
> which is plainly wrong.

Sorry Anthony, on both points you have failed to understand the outcome of
this long thread - particularly on the second point. Feedback on this
subject has been based on a lot of failure to understand.

Disconnecting logic and methods from the client/business/data tier is just
that - whole disconnection. Noting of security flaws can get through. How
it's done is a matter of coding. To suggest MVC (I prefer n-tier) is a
red-herring is wrong. Correct separation is about security as well as good
architecture.

I repeated what I meant about $_SESSION variables but there is still a
failure ad nauseum to pick up that I do not, and would never, advocate
dumping request variables into a session variable. The notion is plainly
ridiculous. But parsing request variables for processing, acting upon them,
disposing them and, ad separatim returning results using the session
mechanism, is a good and robust way to go. There are other methods, but it
is a good way to go - and clean.

I did take on board some of criticism received to my posts on this thread. I
couldn't resist having a look at some of the websites produced by critics -
sheer nosiness. Alas, I saw a mixture of poor design, failed validation and
accessibility, and other issues with the result that I wondered how much
theory was put into practice.

Messages by Day
May 31st 2007
May 30th 2007
May 29th 2007
May 28th 2007
May 27th 2007
May 26th 2007
May 25th 2007
May 24th 2007
May 23rd 2007
May 22nd 2007
May 21st 2007
May 20th 2007
May 19th 2007
May 18th 2007
May 17th 2007
May 16th 2007
May 15th 2007
May 14th 2007
May 13th 2007
May 12th 2007
May 11th 2007
May 10th 2007
May 9th 2007
May 8th 2007
May 7th 2007
May 6th 2007
May 5th 2007
May 4th 2007
May 3rd 2007
May 2nd 2007
May 1st 2007


Messages by Month
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
March 2007
January 2007


Messages by Year
2008
2007
2006
2005
2004
2003
2002
2001
2000