On Jan 17, 2007, at 10:27 AM, Patrick Mineault wrote:
So you either have to make sure you do receive the VO type
you expect, using instanceof or is_a, or you should only use "dumb"
VOs
which don't have any methods.
I think that this is an important point, so I want to make sure I
understand what you are saying since I have been debating whether to
use VO's in my PHP.
I can create dummy VO's as you suggested (which is essentially what
my Flex VO's are), but I have been wondering what advantage I get
from using VO's at all in PHP unless I attempt to implement an ORM
approach and actually map the PHP VO directly to the MYSQL tables and
abstract my SQL into these objects. I have been a little wary of
this approach (for reasons other than security) since I need a more
flexibility in my inserts, AND it sounds like you would not recommend
this either due to the security holes it could reveal.
However, the other advantage of VO's on the PHP side is to allow them
to manage the deserialization of my MySQL results, and thus fully
organize them into objects that can be easily mapped back to Flex. So...
a) Does this present as big a security issue?
b) Is a good way to approach the mapping of PHP to Flex? How are
others solving this problem.
c) If one could spoof a VO, wouldn't it be just as easy to spoof a
method call (assuming I take a more procedural approach).
I guess I don't fully understand why the procedural approach is more
secure than the VO approach.
I am new to understanding web security, so forgive me if I am being
naive...
thanks, Kevin