Hi,
I would like to underline that somebody with good AMF knowledge can craft
strongly typed objects and send them to the server-side. If the "deleteUser"
doesn't require authentication and authorization it can be hacked in any
language.
function deleteUser($userVO)
{
$userVO->delete();
}
Well, you might expect that $userVO is a "com.myPackage.UserVO", but it
could also be a "com.myPackage.PhotoVO", or a "com.myPackage.AdminVO",
or whatever. So you either have to make sure you do receive the VO type
you expect, using instanceof or is_a, or you should only use "dumb" VOs
which don't have any methods
Mit freundlichem Gruß,
Zoli
