dpiuqwwyu187975836 2010-04-24 11:31
浏览 75

PHP - 框架,ORM,封装

Programming languages/environments aside, are there many developers who are using a framework in PHP, ORM and still abide by encapsulation for the DAL/BLL? I'm managing a team of a few developers and am finding that most of the frameworks require me to do daily code inspection because my developers are using the built in ORM.

Right now, I've been using a tool to generate the classes and CRUD myself, with an area for them to write additional queries/functions. What's been happening though, is they are creating vulnerabilities by not doing proper checks on data permission, or allowing the key fields to be manipulated in the form.

Any suggestions, other than get a new team and a new language (I've seen Python/Ruby frameworks have the same issues).

  • 写回答

4条回答 默认 最新

  • dousheyan0375 2010-04-24 11:53
    关注

    Throwing away a team is never an option: improve it instead!

    • Arrange security workshops to make them more aware of these issues.
    • Introduce (or even better: ask them to introduce) code guide lines for better handling these problems (a security-aware hungarian notation or usage of prepared statements are two examples)
    • Address the short-comings in code reviews - don't blame them for ignoring security, just show the problematic snippets you found and explain that security is very important to [choose one: this project/the customer/your company's reputation/you personally]
    • Let them do security audits on their own or their peer's code. Let them find out how easy it is to exploit such security flaws.
    • Find other tools/frameworks that better support your security model. But be warned: this option is very expensive! Your programmers will need to maintain code in the old framework and learn a new one (worst case: they will need to learn a new language along with the new framework)

    But basically this is an issue that you have to solve collaboratively with your developers. If you declare war on them, you're bound to lose (regardless of the outcome for the developers.)

    评论

报告相同问题?

悬赏问题

  • ¥15 keil里为什么main.c定义的函数在it.c调用不了
  • ¥50 切换TabTip键盘的输入法
  • ¥15 可否在不同线程中调用封装数据库操作的类
  • ¥15 微带串馈天线阵列每个阵元宽度计算
  • ¥15 keil的map文件中Image component sizes各项意思
  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
  • ¥15 划分vlan后,链路不通了?
  • ¥20 求各位懂行的人,注册表能不能看到usb使用得具体信息,干了什么,传输了什么数据
  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 Centos / PETGEM