SitePoint Sponsor

User Tag List

Page 2 of 2 FirstFirst 12
Results 26 to 38 of 38
  1. #26
    SitePoint Guru
    Join Date
    May 2005
    Location
    Finland
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dr Livingston
    PHP Code:
        $filename "$action-action.class.php";
        require_once(
    $filename); 
    Does that not smell to any of you? What happens when $action = '../../../path/to/malicious/script'? Use basename().

  2. #27
    SitePoint Addict timvw's Avatar
    Join Date
    Jan 2005
    Location
    Belgium
    Posts
    354
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Very useful in this situation is realpath.

  3. #28
    Non-Member
    Join Date
    Jan 2003
    Posts
    5,748
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Does that not smell to any of you?
    Of course it does, but you'll need to excuse me for a moment you see, since I never submitted that peice of script, it was 33degrees if you look again

    I just copied and pasted the script (by 33degrees) in relation to the posting that I made in regards to the reply on the use of the SWITCH. Personally I wouldn't use nor could I recommend the use of that example, for obvious reasons.

    Just thought I'd correct the matter, if that's okay with you that is?

  4. #29
    SitePoint Guru
    Join Date
    May 2005
    Location
    Finland
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dr Livingston
    Just thought I'd correct the matter, if that's okay with you that is?
    Oops. I guess that came out as a bit offensive. It wasn't meant to anyone personally.

  5. #30
    Non-Member
    Join Date
    Jan 2003
    Posts
    5,748
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Off Topic:

    None taken, I put it down to an oversight on your part and thought nothing more of it, but I did have to go and lie down for a while...

  6. #31
    SitePoint Addict
    Join Date
    May 2005
    Posts
    255
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dreamscape
    Why, why why would a template engine care what format the template file fed to it is in? As long as the file follows the engine's syntax (for variables, conditions, loops, etc), it has no need to care or even think about what else is in the file. Its job is to to take whatever file it is given by the application, parse it, and give the application back the compiled template (or possibly include the compiled template based on what the application currently wants to do). There is no need to have multiple template engines for different output formats, generally speaking. (something like PDF templating might be tricky, and maybe you'd need something a little different, but definitely you do not need a different engine for formats like HTML, XML, plain text, etc).
    That was the point I was trying to make. Look at the previous posts in this thread where things like templating engines that have a 'doctype' variable (yikes!) and such were given as examples. Bad, bad, bad.

  7. #32
    SitePoint Guru 33degrees's Avatar
    Join Date
    May 2005
    Posts
    707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Ezku
    Does that not smell to any of you? What happens when $action = '../../../path/to/malicious/script'? Use basename().
    Depends on where $action is coming from; It could be reasonable to assume that the request object is validating its data. In any case, it was a quick a dirty example of an alternate approach to using a switch statement, I wasn't expecting anybody to use it as is in production code!

  8. #33
    ********* Victim lastcraft's Avatar
    Join Date
    Apr 2003
    Location
    London
    Posts
    2,423
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Hi...

    Quote Originally Posted by Etnu
    Now, there's nothing wrong with an HTMLTemplate that extends a generic Template class (or whatever), but you'll be hurting later if you don't plan for those sorts of things.
    Call me an XP'er, but I'm always very reluctant to plan ahead for anything. You have to carry the weight of all that extra code from the time it's written until the time it's finally used. That is, even if you guess right, you don't win. When you guess wrong, or the code is rewritten in the meantime for a different reason, you lose big time.

    Regarding the high level app. design, what type of application are you developing? The reason is that different control/templating styles suit different apps.

    yours, Marcus
    Marcus Baker
    Testing: SimpleTest, Cgreen, Fakemail
    Other: Phemto dependency injector
    Books: PHP in Action, 97 things

  9. #34
    SitePoint Guru 33degrees's Avatar
    Join Date
    May 2005
    Posts
    707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dr Livingston
    Personally I wouldn't use nor could I recommend the use of that example, for obvious reasons.
    I'd be curious to know what those obvious reasons would be? Appart from the potential security issues, is there anything really wrong with my example?

  10. #35
    SitePoint Addict
    Join Date
    May 2005
    Posts
    255
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lastcraft
    Hi...



    Call me an XP'er, but I'm always very reluctant to plan ahead for anything. You have to carry the weight of all that extra code from the time it's written until the time it's finally used. That is, even if you guess right, you don't win. When you guess wrong, or the code is rewritten in the meantime for a different reason, you lose big time.

    Regarding the high level app. design, what type of application are you developing? The reason is that different control/templating styles suit different apps.

    yours, Marcus
    Being reluctant to plan ahead for "anything" usually just puts you in a position to make life harder. No, you shouldn't overthink things (massive class diagrams and "specs" make me want to vomit the whole of my internals up), but there are plenty of obvious things that you can take care of right off the bat. Not binding your templating system to a specific type of output is one of those things.

  11. #36
    SitePoint Enthusiast
    Join Date
    Feb 2005
    Posts
    29
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lastcraft
    Regarding the high level app. design, what type of application are you developing?
    The application that I am developing is a rewrite of an old foxweb (version 2.6) 16 bit stand alone program. None of the code can or should be reused, but at least I have working outline. Just to give an idea of the size of application, they told me in my interview they expect it to take 4-5 years to write. Personally I don't think it will take half that time.

    So what kind of application am I developing? It's an application that is going to have different views / privileges based on login type and security level. There will be 2-3 html templates based on scope of the page. Many of the functions that one user may need will overlap with other users, but the permissions (read, write) maybe different. There will be a fair amount of chart and graphical reporting which needs to be able to easily converted to pdf’s. This program isn't going to be sold to other companies, so making it portable isn't an issue.

    Quote Originally Posted by lastcraft
    The reason is that different control/templating styles suit different apps.
    I agree with this statement 100%, and am glad you brought it up because that brings up a question. In the MVC where / how is the security level built in?

  12. #37
    ********* Victim lastcraft's Avatar
    Join Date
    Apr 2003
    Location
    London
    Posts
    2,423
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Hi...

    It's taken me a while to cough up the "design up front" pill. Since doing so I haven't found any decision I could not have delayed until the last minute except those involving commitments to other development teams.

    Quote Originally Posted by Etnu
    Not binding your templating system to a specific type of output is one of those things.
    That is exactly the kind of thing I would leave until I needed it. Why not just restrict to HTML? It's certainly good enough for 90% of sites out there and it's not so hard to put in later.

    In fact I would go a step further here and say I would not imlement any MVC system until I needed it. Just go with straight PHP until there is enough of an app. to dictate the framework requirements. I don't know what foxweb is, but I doubt it will translate to the web in any kind of automatic way. I suspect that the top level navigation will be a mystery until you do some usability and taskflow work. It's only then that front/page controllers can be dictated, whether a separate presentation layer is needed, whether the layouts will need a graphics designer, etc, etc.

    Infrastructure decisions are the hardest to undo. Right now you just don't know. Code something functional first and get it onto a page so atht people can review it.

    yours, Marcus
    Marcus Baker
    Testing: SimpleTest, Cgreen, Fakemail
    Other: Phemto dependency injector
    Books: PHP in Action, 97 things

  13. #38
    SitePoint Wizard
    Join Date
    Aug 2004
    Location
    California
    Posts
    1,672
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Etnu
    Being reluctant to plan ahead for "anything" usually just puts you in a position to make life harder. No, you shouldn't overthink things (massive class diagrams and "specs" make me want to vomit the whole of my internals up), but there are plenty of obvious things that you can take care of right off the bat. Not binding your templating system to a specific type of output is one of those things.
    I think you are confusing planning for what you know and planning ahead for those things that you are not positive about. One of the counter-intuitive, yet proven effective, things about XP is that you only build from what you actually know. And that ends up being much less than you think you know.
    Christopher


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •