Archive for the ‘Projects’ Category

« Older Entries

Events, events and more events!

Friday, January 22nd, 2010

After thinking, thinking, thinking and thinking. I just had to admit, it’s hard to make your web application to support (plug-ins/add-ons/modules/extensions) whatever you prefer to call it, for me they are extensions. So I had to go over and see some patterns and finally I came with a few ideas. It included a registry (protected one of course), and events(name) and listeners(extensions) and a handler to manage the injections.

I’m aware I left templates “manipulation” out, and I still won’t care for it yet. It is not the time to bother with such fancy features if I don’t have a solid extension base to work with. I’m seriously hoping to pull this one off. I want to get STARTED to code more, but I can’t code blindfolded with just ideas on mine and no blueprint to guide me, which is why I analyze, design, implement, test (you should know what I’m talking about :) ).

Extensions in a bulletin board is hard to see, I mean, there is so MUCH data to process. So many “events” to place, like on the one I placed “prePostLoop” which if injected, instead of calling my default model, all the raw data will be gone to your extension for you to process. Of course, you don’t have choose “prePostLoop” to just change ONE thing, there will be of course, other events to be placed.

Yet, a bigger problem to overcome is making the extension database layer and choosing the right database user, and also determining the extension’s “templatebits”, “routes”. It all requires a lot of “injections” to routes, doctrine (yes, I chose Doctrine ORM), views. One thing for sure is that, in the end you will have to place your function in the template. That’s a no brainer for many people, but I’m attempting to do something else.

To be honest, while it looks overwhelming for me. I still know I can do it if I keep my mind cool. I mean, it’s not HARD, like it was for me that I had to take a few days off after I designed how ACL (Access lists), ACL_Roles, ACL_Roles_Whitelist, ACL_Items. All I know is that the initialization of the board is going to be quite heavy.

To end this post, talking about events made me think of “Sections” as in “Link sections”. Where everyone want to keep it nice and neat. The problem with link sections is that I have to take care of administration pages and other things. It means, many and “Iterate” object comes to mind, such an eventful semester, I’m hoping it gives good results :)

Tags: , ,
Posted in Projects | No Comments »

Thoughts on security in web applications

Tuesday, January 19th, 2010

I’m pretty weary. All this week working on what/how/where/when implementations, starting with logic “what will this object hold?”. Working on the prototype of OpenType Threads has made realize how important it is to detail a plan, it’s good but also a bit lonely hopefully when I launch the prototype I hope some developers join me along.

It is exciting in a way to get new concepts, and just yesterday I start to get a new one that I will immediately implement.

The plan is the following, probably nothing new to many seasoned programmers, but on current projects it is rarely seen, especially in PHP. We usually use a database storage, probably MySQL. MySQL provides the feature to allow multiple users to share one database, with different permissions. Quite a nice feature isn’t it? It’s hard to imagine how useful this is in programming, because well, installing PHP scripts just relies on the usual “SELECT, CREATE, INSERT, DELETE, DROP, UPDATE, ALTER”. We don’t usually THINK why MySQL users exists and many installers just tells you “Hey! Just write your database, database user, password, port if there is any and we’ll do the rest!” And that’s the worst mistake and you’ll see why:

I layered OpenType Threads administration concept in two, the master, the user. The master user has the following privileges :

Master user:

  • INSERT
  • DELETE
  • UPDATE
  • SELECT
  • CREATE
  • ALTER
  • INDEX
  • DROP

The user:

  • SELECT
  • INSERT
  • DELETE
  • UPDATE

Now, where do we usually use the “master user”? The answer lies in administration panel, imagine if you use wordpress, wordpress plug-ins usually need to CREATE/DROP/ALTER/INDEX a table, INSERT, DELETE, UPDATE, SELECT data. It’s perfect for the admin section.

Now why would I want to use two users, sharing the same database? The answer lies in SQL exploits. I won’t pretend this will take care of all injections, that depends mostly on your sanitation of inputs in your web application. It will certainly stop aggressive ones, like, for example:

- a malicious user attempts to DROP the database, everything will be lost in just one command.
- One of your administrator’s “betrays” you and attempt tries to delete tables, again the DROP command will be unavailable.

Now as we see, using a the “normal user” will certainly be helpful. Yet it leaves kind of a gap, we can’t do much with the “DELETE” command, actually we can if you rethink your application. Lets say that in your articles table you have the usual (artID, artContent, artTitle) lets add one more column (artState(ENUM(‘publish’,'delete’,'draft’))). We have enumerated three options, publish, delete and draft. The usual “publish” will just show the article to the users viewing your site.

Now, instead of using the DELETE command to delete the record, it will hide the record and add it to a “trash can” which will be ONLY be deleted when you access the administration panel so it carries the “master user”.

Issues like “what if I get my admin login stolen?”, “what if the malicious user steals the user, password of the master user?”. Well, those issues depends on the security of your web application, it has nothing to do with the TRANSACTIONS made. And of course, sanitize all inputs.

I don’t believe it hurt to try this because so far it’s just another measure to take. Infact I’m not taking the measure with just using TWO MySQL users. I’m also throwing in Foreign Keys Constraints, to stop any user deleting data that is related in another table. The introduction of Foreign keys constraints, it’s useful, but also can turn into a double edged blade if you overuse it.

Well, there is still a lot to learn :) I’m still lurking in MySQL documentation to get more ideas (but I should stop, implementing all unneeded features will just put a hole in your goal). Yet I’ll just do this one to see how it goes, it’s a gamble after all. I need to see the impact it will cause and what benefits will be gained.

2 people like this post.

Posted in General, PHP, Programming, Projects | 1 Comment »

« Older Entries