Some Considerations Before Start.

Hello,

I’m going to start a new project and I have thought that will be great do it with Yii.

I have some considerations about security and I’m not pretty sure if Yii could help me here.

I read that with Yii it’s easy to implement third party modules, that’s why I think Yii will be a great alternative to my project. My project is a core where other developers could add modules.

The security problem I see, it’s that the core and modules will be in same platform (server, db… etc). How can I avoid that someone upload some malicius code (shell script, script to read the entire db…)?

To avoid someone steal the db I think to encrypt the data before save it, but maybe is a question of time, someone who steal the db will crack the encryption sooner or later.

It will be better, to can control in which db tables can access some module, and which others one, can access but with filters (for example you can access to table client, but with a filter to specific “only your clients”) or it can’t access.

To avoid upload malicius code, I think it’s more difficult, and the only solution will be review the entire code submited. But do you have any other idea ?

Thanks and best regards,

Layn.

There is no way you can create any restrictions in modules that your core app would not have.

I think the only way to separate logic like that is to create independent web apps in their own directories.

Hi Nineinchnick,

Thanks for your reply.

Using own directories doesn’t fix the problem, so that apps will access to the same db.

Independent modules use too their own directories, so I don’t know why you said independent web apps… did you meant with their own db and vhost ?

But I need everything interconnected so anybody can use the others modules. For example, if one create a "client" module, anyone can use that module to his own, and make an combined it with his "billing" module.

Thanks and regard,

Layn.

So you need to do a careful code review if you are going to use different modules in one web app.

Most databases provide pretty good authorization mechanisms that allow multiple users to work with their own set of permissions. If you want to share business logic with restrictions you’d have to implement it as database procedures. But most programmers doesn’t really know any procedural SQL language, so that is out of the question.

Thanks again Nineinchnick,

Yesterday I was thinking and maybe it is posible to create a db for each external module and interactue with it through the code. This plus encryption should work.

So now my greatest concern is the uploaded code. If I have to review everything it will slow down the process. I have to think about this :)

Thanks again, and best regards!

Layn.

I think you have no choice but to do some code review. So perhaps you should look into create an approval system. I’m not sure of your purpose of the project, but it doesn’t seem safe. How will people test their code? If you let them develop and test on your server there’s nothing to stop them echoing out the database connection information and getting access to the database.