NYCPHP Meetup

[nycphp-talk] Not-so-subtle attack on PHP

bz-gmort at beezifies.com bz-gmort at beezifies.com
Fri Sep 28 13:02:27 EDT 2007


Kenneth Downs wrote:
> ....but of course we want to prevent session hijacking and forged urls no matter what the security mechanism, right?  

I'd also like to prevent users entering something in an input field 
because their "friend" tells them it's a good idea.

But since I can't control users.....

> bz-gmort at beezifies.com wrote:
>>
>> I wonder how difficult it would be to design a functional application 
>> that would work both in the shared hosting/single db user model AND a 
>> dedicated server/multi user model, and would there even be a market 
>> for such an app(market defined as people who would use it in both modes)
> 
> Actually an Andromeda node can host any number of applications, private 
> business apps and public sites both (as SDS servers in fact do), with 
> multiple instances of the same apps and multiple versions of the same 
> apps all running simultaneously.  All database users are fully isolated 
> into their individual apps.

I'm thinking more from the perspective that the Application would run on 
a GoDaddy host, it will run on a Dreamhost account, and it will run on a 
dedicated server.

Designed in such a way to devolve down to the single db user access 
rights when that is all that is available, but will scale up to the 
multi user access level when it's available.

It would mean a lot of redundant code at the application level to manage 
security when the user access is lacking.

It seems to me it's better to start with an app dedicated for the shared 
hosting environment and then upgrade to something like Andromeda when it 
is economically justified.  But it would be cool to be able to use the 
same app under different security models.



More information about the talk mailing list