NYCPHP Meetup

[Anirudh Zala]

All are right at their point if view..

Bcoz security depneds upon type of application, Session management 
capapbility of script and coding.
u may include as many as files as u need due to php's powerful inclusion 
facility.

And can place your security checking in those special files or session which 
doesn't contain any html tags
hence user or hackers can't track it.

But as told above it depends upon application type and coding, we can 
atleast sepearte main security checing and
data displying in forms.

Hence single entry is not that much useful in all type of application..

Jim is quite right about his point.."using single entry suytem in all 
projects."

Thanks

Anirudh Zala


>From: Michael <mogmios at mlug.missouri.edu>
>Reply-To: talk at nyphp.org
>To: NYPHP Talk <talk at nyphp.org>
>Subject: Re: [nycphp-talk] single entry point
>Date: Tue, 30 Jul 2002 21:37:43 -0400
>Received: from mc1-f7.law16.hotmail.com ([65.54.236.14]) by 
>mc1-s10.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Tue, 30 
>Jul 2002 18:45:48 -0700
>Received: from slipdisc.virul.net ([66.114.66.188]) by 
>mc1-f7.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Tue, 30 Jul 
>2002 18:43:54 -0700
>Received: from nyphp.org (slipdisc.virul.net [66.114.66.188])by 
>slipdisc.virul.net (8.11.6/8.11.6) with ESMTP id g6V1bhP42494;Tue, 30 Jul 
>2002 21:37:43 -0400 (EDT)(envelope-from listmaster at nyphp.org)
>Message-Id: <200207310137.g6V1bhP42494 at slipdisc.virul.net>
>X-Paralist-Archived: 
><http://nyphp.org/list/paralist_archive.html?L_mid=893>
>X-List-Software: Paralist 0.6
>List-ID: <nyphptalk.nyphp.org>
>List-Owner: <mailto:listmaster at nyphp.org>
>List-Archive: <http://nyphp.org/list/paralist_archive.html?L_lid=1>
>List-Subscribe: <http://nyphp.org/list/>
>List-Unsubscribe: <http://nyphp.org/list/>
>Organization: New York PHP
>X-Mailer: Paramail 0.5
>Return-Path: listmaster at nyphp.org
>X-OriginalArrivalTime: 31 Jul 2002 01:43:54.0505 (UTC) 
>FILETIME=[BA9BB790:01C23833]
>
>I'll step out on a limb and disagree with the others that responded to
>your message. I've written some very large PHP-based sites and from my
>experiences I've learned to base any sites of any size off a moduler
>single entry point design. For an example of the framework I created for
>my own use try http://freshmeat.net/projects/kfl/ and see my newest
>version.
>
>I do not suggest that using a single entry point design is reasonable for
>every project. Small sites don't really benefit from the more structured
>design. Also a single entry point site can be designed totally without
>enternal structure which is just a mess. It can also be beneficial to have
>several 'single entry points' to group modules as is practical for your
>problem domain.
>
>As someone else said templates are a good design choice for use with
>single entry points. IMO so are object oriented modules. Good object
>oriented design will make it easier to maintain security and
>maintainability as the site growsbut by no means will do your job for you.
>
>There is no reason why search engines won't or can't spider as deep as you
>want even with a single entry point. It's a pretty easy trick to pass PHP
>arguments in the URL path. For example index.php?module=logon can be done
>as index.php/module/logon or just index.php/logon if you wanted.. hiding
>the fact that the requested files are dynamic from the search engines.
>
>
> > As a fairly new PHP developer, I'm wrestling with not only learning the
> > lingo, but also attempting to discover best practice.  When I was first
> > faced with ASP when ASP was first introduced I made the design snafu of
> > developing my first small page as a single page.  Login, login 
>validation,
> > form entry, form validation and submission, and submission response all
> > rolled up into 1 .asp file.  While it was great for this 1 small app ( 
>more
> > of an applet ), when the client wanted to add more stuff it required
> > re-arranging the app splitting it up, figuring out the then flawed
> > response.redirect etc.  It then required adding to the top of each page 
>the
> > security checks to ensure the user was logged in etc. ( of course added 
>as
> > an include ).
> >
> > Well to make a short story long, I encountered an ASP app written by 
>another
> > programmer which I was inheriting which used a single entry point(
> > everything went through default.asp ( ASP's equivalent of index.php ) ). 
>  He
> > used an encrypted querystring parameter to key the ASP file as to which 
>page
> > was really required & then using a case statement included the necessary
> > files.  He must not have been aware of ASP's static include, all 
>includes
> > are included regardless of control logic around the include.  I did 
>think
> > the solution to be rather elegant, hiding the implementation from the 
>user
> > by only exposing 1 page.  Later as I developed it I even moved the 
>encrypted
> > parameter to a hidden form field to even hide that part of the
> > implementation.
> >
> > I've seen a few PHP apps floating around that use a similar design.  In 
>PHP
> > the obvious advantage over the ASP version is the dynamic include ( 
>include
> > based on the surounding logic ).  I'm interested to get the opinion of 
>more
> > experienced PHP developers on this single entry point design.  I realize
> > this design will not allow search engines to index more than the entry
> > point, but I'm developing in an extranet environment where search 
>engines
> > are not desired anyway.
> >
> > I think one of the things that draws me to this solution is the ease of
> > security checks and forcing a specific modality ( ie. stopping the 
>browsers
> > back button & ensuring a specific work flow where required ).
> >
> > Please let me know your opinion on this.
> >
> > Jim
> >
> > _____________________________________________________________
> > Jim Hendricks, President, Biz Computing, Inc
> > Phone:  (201) 599-9380     Email: jim at bizcomputinginc.com
> > Web: www.bizcomputinginc.com
> > Snail:  Jim Hendricks,  Biz Computing, Inc.,  255 McKinley Ave, New 
>Milford,
> > NJ 07646
> >  ______________________________________________________________
> >
> >
> >
> >




_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com