Some Considerations Before Start.
Posted 27 August 2013 - 04:02 AM
I'm going to start a new project and I have thought that will be great do it with Yii.
I have some considerations about security and I'm not pretty sure if Yii could help me here.
I read that with Yii it's easy to implement third party modules, that's why I think Yii will be a great alternative to my project. My project is a core where other developers could add modules.
The security problem I see, it's that the core and modules will be in same platform (server, db... etc). How can I avoid that someone upload some malicius code (shell script, script to read the entire db...)?
To avoid someone steal the db I think to encrypt the data before save it, but maybe is a question of time, someone who steal the db will crack the encryption sooner or later.
It will be better, to can control in which db tables can access some module, and which others one, can access but with filters (for example you can access to table client, but with a filter to specific "only your clients") or it can't access.
To avoid upload malicius code, I think it's more difficult, and the only solution will be review the entire code submited. But do you have any other idea ?
Thanks and best regards,
Posted 27 August 2013 - 12:42 PM
Thanks for your reply.
Using own directories doesn't fix the problem, so that apps will access to the same db.
Independent modules use too their own directories, so I don't know why you said independent web apps... did you meant with their own db and vhost ?
But I need everything interconnected so anybody can use the others modules. For example, if one create a "client" module, anyone can use that module to his own, and make an combined it with his "billing" module.
Thanks and regard,
Posted 27 August 2013 - 07:33 PM
Most databases provide pretty good authorization mechanisms that allow multiple users to work with their own set of permissions. If you want to share business logic with restrictions you'd have to implement it as database procedures. But most programmers doesn't really know any procedural SQL language, so that is out of the question.
Posted 28 August 2013 - 01:55 AM
Yesterday I was thinking and maybe it is posible to create a db for each external module and interactue with it through the code. This plus encryption should work.
So now my greatest concern is the uploaded code. If I have to review everything it will slow down the process. I have to think about this
Thanks again, and best regards!
Posted 29 August 2013 - 04:22 PM