| Author |
Message |
Dawg
RavenNuke(tm) Development Team
Joined: Nov 07, 2003
Posts: 928
|
 Posted:
Sun Feb 10, 2008 7:47 am |
|
Greetings All,
I have a suggestion for Raven and Staff. In securing RN I have heard a ton of discussion about 3rd party add-ons and security. This should be done like that and so on.
I create a lot of custom things for my sites. One of the things I always struggle with is doing it securely.
What I am asking for is a Sample Module that inserts data into a database, Gets data from the database, displays data from the database, edits the data in the database and deletes data in the database - Securely.
Kind of like the old Mouse Module that Chris did but up to date with security in mind. It does not have to be anything exciting. Something simple and easy to follow that we could use as a template for creating new stuff.
This would be a great addition for us under educated folks that can write a little but do not know what things to look for. How to do a form the right way? How to do a sql insert the right way? How to display that data correctly.
I would even go so far as to pay someone to do it and release the code GPL.
I can create simple modules to do this or do that. Are they secure? I don't know. They work. What I want is to learn to do it correctly.
Just my .02!
Dawg
Give a man code and you solve one problem. Teach him to write his own code and you solve many problems. |
| |
|
|
|
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA
|
| Posted:
Sun Feb 10, 2008 10:22 am |
|
Its a good idea, but the techniques are not specific to Nuke. Go read one of the many fine books on PHP and MySQL. PHP Pro Security is a good one. |
_________________
GCalendar - An Event Calendar for PHP-Nuke
Member_Map - A Google Maps Nuke Module |
|
|
|
|
Dawg
|
| Posted:
Sun Feb 10, 2008 10:40 am |
|
Gremmie,
I have a bookshelf full of good books. (Including one on Security) The issue is weeding through all the information and then making that information apply to nuke. As an example....sql statements are differnet inside of nuke because you do not do the connection.
I for one have a hard time understanding things from books in general. When I get ready to go do something. I look for an example to model by. Some of examples in the world that work are good....some are not so good. I am not smart enough to know the difference.
A current set of well written examples IMHO would go a long way to teaching the rest of us the correct way to do things.
Just My .02
Dawg |
| |
|
|
|
|
Gremmie
|
| Posted:
Sun Feb 10, 2008 12:05 pm |
|
About the database, true, the books certainly don't contain examples that use the $db object. But the SQL *is* the same. Things like sanitizing user inputs, escaping strings with addslashes, that's all the same. PHP Pro Security goes through all kinds of scenarios and I found it a good read and easy to apply to Nuke. |
| |
|
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Sun Feb 10, 2008 2:54 pm |
|
In this thread:
[url][/url]http://www.ravenphpscripts.com/postxf14782-0-25.html[url]
we have started a little discussion of using the Zend framework. You can find all the links you need there.
It is far from determined that this is feasible but the basic approach is to have a framework which includes a bunch of pre-written classes that can be used to attain security. There would be "cookie-cutter" documentation for applying this in Nuke. When you build a form, the first thing you do is define the fields AND their validation and you call the validation and make sure everything is secure before you do anything with the database. Likewise you call on a class that properly escapes the data before you put it into the database.
This is not a short term solution because getting this stuff to work in a *nuke context is complicated. Then rewriting all the "standard" modules, which in part means rewriting all the forms is well ... not complicate ... but a lot of work. And finding a way to communicate it to 3rd party developers is also a lot of work and not sure to be successful.
[/url] |
| |
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Mon Feb 11, 2008 7:12 am |
|
Dawg, I like the idea and have actually often wanted to even create for myself a simple "template" module that I can just copy and paste into a new development project. If I actually ever do create one, I'll definitely share it. Problem is, I have made a commitment to no longer develop for PHP4... lol. But, for RavenNuke(tm), I would ALWAYS make an exception.  |
_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... |
|
|
|
|
Gremmie
|
| Posted:
Mon Feb 11, 2008 8:38 am |
|
It would be a nice thing for 3rd party module developers to have as a reference. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
