Wouldn't Fluorine and OpenAMF throw a type-coercion error, given that
the first argument is typed? Of course, the code in the constructor
would be called anyways.
Patrick
Zoltan Csibi a écrit :
>
> Hi,
>
> I would like to underline that somebody with good AMF knowledge can
> craft strongly typed objects and send them to the server-side. If the
> "deleteUser" doesn't require authentication and authorization it can
> be hacked in any language.
>
>
> function deleteUser($ userVO)
> {
> $userVO->delete( );
> }
>
> Well, you might expect that $userVO is a "com.myPackage. UserVO", but it
> could also be a "com.myPackage. PhotoVO", or a "com.myPackage. AdminVO",
> or whatever. So you either have to make sure you do receive the VO type
> you expect, using instanceof or is_a, or you should only use "dumb" VOs
> which don't have any methods
>
>
>
> Mit freundlichem Gruß ,
>
> Zoli
>
>
>
