Re: FN-FORUM: PHP PostData security

date posted 29th May 2007 14:03

On 29 May 2007 12:58:58 -0000, Anthony Cartmell wrote
> > Wrong. MVC facilitates security in depth, something that is not easy to
> > achieve in a monolithic model.
>
> Which aspect of the MVC pattern protects against SQL injection, and
> which aspect stops cross-site scripting?

None of it. I didn't say the MVC pattern *provided* security in depth, I
said it *facilitated* security in depth. It is easier to write gatekeepers
at the various MVC boundaries than to write them for a monolithic model.

> Particular web application frameworks, that happen to be a little
> MVC-like, might well include the necessary filtering and escaping
> required, but that's a feature of the framework, not MVC.

Correct, a feature that is far easier to write because of the MVC pattern
than if the framework used a more monolithic pattern, hence my original
statement.

Cheers,
Gary