Wouldn't Fluorine and OpenAMF throw a type-coercion error, given that the first argument is typed? Of course, the code in the constructor would be called anyways.
Patrick Zoltan Csibi a écrit : > > Hi, > > I would like to underline that somebody with good AMF knowledge can > craft strongly typed objects and send them to the server-side. If the > "deleteUser" doesn't require authentication and authorization it can > be hacked in any language. > > > function deleteUser($ userVO) > { > $userVO->delete( ); > } > > Well, you might expect that $userVO is a "com.myPackage. UserVO", but it > could also be a "com.myPackage. PhotoVO", or a "com.myPackage. AdminVO", > or whatever. So you either have to make sure you do receive the VO type > you expect, using instanceof or is_a, or you should only use "dumb" VOs > which don't have any methods > > > > Mit freundlichem Gruß , > > Zoli > > >