NYCPHP Meetup

NYPHP.org

[nycphp-talk] Not-so-subtle attack on PHP

John Campbell jcampbell1 at gmail.com
Fri Sep 28 13:35:44 EDT 2007


On 9/28/07, Kenneth Downs <ken at secdat.com> wrote:

>   I will claim that putting security
> directly into the database is better than any other way because it does what
> is needed in the end with the least possible work.

I must be missing something.  Take a simple social networking
scenario: A user can only see another user's complete profile if and
only if they are mutual friends.  Implementing that in the tables
would be a huge pain in the ass and incur a big performance penalty.
Is there some super easy way to implement this that I am missing?

My problem with implementing security in the database, is that it
forces a relationship between data elements and users, where as if you
implement the security layer between the application and the data then
you can write policies that are a function of the data itself.


-Cheers
John Campbell



More information about the talk mailing list