tags:

views:

85

answers:

3
+2  Q: 

PHP - Frameworks, ORM, Encapsulation.

Programming languages/environments aside, are there many developers who are using a framework in PHP, ORM and still abide by encapsulation for the DAL/BLL? I'm managing a team of a few developers and am finding that most of the frameworks require me to do daily code inspection because my developers are using the built in ORM.

Right now, I've been using a tool to generate the classes and CRUD myself, with an area for them to write additional queries/functions. What's been happening though, is they are creating vulnerabilities by not doing proper checks on data permission, or allowing the key fields to be manipulated in the form.

Any suggestions, other than get a new team and a new language (I've seen Python/Ruby frameworks have the same issues).

+4  A: 

Throwing away a team is never an option: improve it instead!

  • Arrange security workshops to make them more aware of these issues.
  • Introduce (or even better: ask them to introduce) code guide lines for better handling these problems (a security-aware hungarian notation or usage of prepared statements are two examples)
  • Address the short-comings in code reviews - don't blame them for ignoring security, just show the problematic snippets you found and explain that security is very important to [choose one: this project/the customer/your company's reputation/you personally]
  • Let them do security audits on their own or their peer's code. Let them find out how easy it is to exploit such security flaws.
  • Find other tools/frameworks that better support your security model. But be warned: this option is very expensive! Your programmers will need to maintain code in the old framework and learn a new one (worst case: they will need to learn a new language along with the new framework)

But basically this is an issue that you have to solve collaboratively with your developers. If you declare war on them, you're bound to lose (regardless of the outcome for the developers.)

soulmerge  2010-04-24 11:53:47
Thanks. I have introduced guidelines, code reviews, security reviews, etc. Ironically, they have a grasp on XSS/SQL injections, and others (mainly because the framework handles it).My issue is they'll pretty much replicate a scaffold environment, where they fail to check proper access permissions for data. I've had them go through the use cases, unit tests, etc, but they'll modify the models to expose all the private methods/members to make it "easier" for them and simply use the CRUD type statements allowing anyone to manipulate other users data's by changing the id in the form.
Ian  2010-04-25 11:28:31
If you can't get them to work on the security issues, maybe you should ask external developers to try to hack your own site. Enter each successful hack as a bug into your bug tracking system. This way both you and your developers will get metrics how secure the application really is. People learn from mistakes far better then from someone else just saying so.
soulmerge  2010-04-25 11:37:16
+2  A: 

To me it sounds like you want to improve coding culture. Have a look at the Rules of Extreme Programming. Maybe you can adopt a few techniques.

Basically, I get the impression there is very little communication right now between the developers and you. I might be just reading that into it, but to me it sounds like the devs are locked in the cellar and you are sitting somewhere else and getting frustrated about them. Change that kind of thinking. You are part of the team.

If your developers are not aware of the vulnerabilities they introduce into the code, consider having weekly code reviews. Let the developers talk about the code they wrote. Let them learn from each other. Make the code collectively owned. Foster learning and constructive criticism.

Remember, there is no I in Team.

Gordon  2010-04-24 11:58:14
Thanks. Corporate climate aside, I'm at about one day a week reviewing the code. I have documentation for what they should be doing. I review the steps before, hold the "workshops", yet they fail to listen. I've followed XP programming, tried agile, etc. The "team" feels they know better then everyone else.I may end up writing all the models myself, since they go and expose the private methods and properties anyways.
Ian  2010-04-25 11:22:36
@Ian you could use some of the tools at phpqatools.org to write code sniffers that detect coding violations and prevent VCS check-ins or to generally prove your point about the code quality. But if there is already fronting, maybe it makes sense to hire a neutral external consultant like sektionseins.de or thePHP.cc (not affiliated with them - just naming the most well known).
Gordon  2010-04-25 11:34:27
A: 

May I recommend Nepthali? It's not an ORM, but the framework is designed to force security. I.E. all variables are encoded before output to the screen; unless explicitely defined not too.

It's also fairly lean, having no ORM, etc. so you can plug whichever ORM into it you want. It's pretty nice, actually.

Zachary Spencer  2010-04-24 12:13:08
Thanks, but security issues I'm talking about is failing to check if a user has access to data. So they'll write a generic load function by a primary key and use that for everything, since they only "test" against one user. The CRUD methods all follow this issue, so as long as they have access to the data, they expose it to the user.
Ian  2010-04-25 11:24:25

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases