Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> General/Other Stuff
Author Message
Dawg
RavenNuke(tm) Development Team


Joined: Nov 07, 2003
Posts: 910

PostPosted: Sun Feb 10, 2008 7:47 am Reply with quote

Greetings All,
I have a suggestion for Raven and Staff. In securing RN I have heard a ton of discussion about 3rd party add-ons and security. This should be done like that and so on.

I create a lot of custom things for my sites. One of the things I always struggle with is doing it securely.

What I am asking for is a Sample Module that inserts data into a database, Gets data from the database, displays data from the database, edits the data in the database and deletes data in the database - Securely.

Kind of like the old Mouse Module that Chris did but up to date with security in mind. It does not have to be anything exciting. Something simple and easy to follow that we could use as a template for creating new stuff.

This would be a great addition for us under educated folks that can write a little but do not know what things to look for. How to do a form the right way? How to do a sql insert the right way? How to display that data correctly.

I would even go so far as to pay someone to do it and release the code GPL.

I can create simple modules to do this or do that. Are they secure? I don't know. They work. What I want is to learn to do it correctly.

Just my .02!
Dawg

Give a man code and you solve one problem. Teach him to write his own code and you solve many problems.
 
View user's profile Send private message
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Sun Feb 10, 2008 10:22 am Reply with quote

Its a good idea, but the techniques are not specific to Nuke. Go read one of the many fine books on PHP and MySQL. PHP Pro Security is a good one.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
Dawg
PostPosted: Sun Feb 10, 2008 10:40 am Reply with quote

Gremmie,
I have a bookshelf full of good books. (Including one on Security) The issue is weeding through all the information and then making that information apply to nuke. As an example....sql statements are differnet inside of nuke because you do not do the connection.

I for one have a hard time understanding things from books in general. When I get ready to go do something. I look for an example to model by. Some of examples in the world that work are good....some are not so good. I am not smart enough to know the difference.

A current set of well written examples IMHO would go a long way to teaching the rest of us the correct way to do things.

Just My .02

Dawg
 
Gremmie
PostPosted: Sun Feb 10, 2008 12:05 pm Reply with quote

About the database, true, the books certainly don't contain examples that use the $db object. But the SQL *is* the same. Things like sanitizing user inputs, escaping strings with addslashes, that's all the same. PHP Pro Security goes through all kinds of scenarios and I found it a good read and easy to apply to Nuke.
 
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Sun Feb 10, 2008 2:54 pm Reply with quote

In this thread:

[url][/url]http://www.ravenphpscripts.com/postxf14782-0-25.html[url]

we have started a little discussion of using the Zend framework. You can find all the links you need there.

It is far from determined that this is feasible but the basic approach is to have a framework which includes a bunch of pre-written classes that can be used to attain security. There would be "cookie-cutter" documentation for applying this in Nuke. When you build a form, the first thing you do is define the fields AND their validation and you call the validation and make sure everything is secure before you do anything with the database. Likewise you call on a class that properly escapes the data before you put it into the database.

This is not a short term solution because getting this stuff to work in a *nuke context is complicated. Then rewriting all the "standard" modules, which in part means rewriting all the forms is well ... not complicate ... but a lot of work. And finding a way to communicate it to 3rd party developers is also a lot of work and not sure to be successful.

[/url]
 
View user's profile Send private message Visit poster's website
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Mon Feb 11, 2008 7:12 am Reply with quote

Dawg, I like the idea and have actually often wanted to even create for myself a simple "template" module that I can just copy and paste into a new development project. If I actually ever do create one, I'll definitely share it. Problem is, I have made a commitment to no longer develop for PHP4... lol. But, for RavenNuke(tm), I would ALWAYS make an exception. Wink

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Gremmie
PostPosted: Mon Feb 11, 2008 8:38 am Reply with quote

It would be a nice thing for 3rd party module developers to have as a reference.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> General/Other Stuff

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©