How to encapsulate business logic like com in ASP?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
janetsmith
Forum Newbie
Posts: 3
Joined: Wed Jun 21, 2006 3:01 am

How to encapsulate business logic like com in ASP?

Post by janetsmith »

How to encapsulate business logic like com in ASP?

Thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

COM has nothing to do with business logic... it's an interface to communicate to other COM components.

Could you explain some more? Why is this a security thread?
janetsmith
Forum Newbie
Posts: 3
Joined: Wed Jun 21, 2006 3:01 am

Post by janetsmith »

Lets say i create a module/function to connect to database.
I want to hide the connection info like password, so i want to compile it and make it unreadable.

this module only provide interface or method which ppl can call it upon.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I think you're in for more hassle than what it's worth, but okay.

The COM library in PHP is given a GUID or COM name, if you know them. Once you have the COM object created, you have that interface. You can do pretty much whatever that interface can perform in C or VB or ASP.NET. PHP will add some necessary overhead because it's an external system that it has to build an interface to dynamically.

To do all this just to hide a database password seems rather silly. The only reason I can see making another layer between the server and the database is if PHP doesn't have an existing interface to it, which is somewhat hard to believe, but okay. Why not set up a separate, more restricted user for PHP to use directly to this database if PHP does in fact support it? Why lock yourself into COM? Last I checked, it was exclusive to Windows. Not that I have much against Windows, I work on them everyday, it's just not the system to use for a server in my experience.
janetsmith
Forum Newbie
Posts: 3
Joined: Wed Jun 21, 2006 3:01 am

Post by janetsmith »

Is there any COM counter part in PHP? I mean, does php has something which is similar to com?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

janetsmith wrote:Is there any COM counter part in PHP? I mean, does php has something which is similar to com?
I'm not quite sure how to answer that. What do you specifically mean? PHP has extension interfaces where you could create a closer knit interaction between PHP and whatever database you're using, but it again, may be more complicated than what you need. Since you haven't really been specific about the database you're using, it's hard to say what the more simple route would be.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

janetsmith wrote: I want to hide the connection info like password, so i want to compile it and make it unreadable.
It's not unreadable (Otherwise, how would the computer be able to read it?)
With a hexeditor people the connectionstring can still be (easily) looked up...
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

janetsmith wrote:Is there any COM counter part in PHP? I mean, does php has something which is similar to com?
PHP can consume COM (and event .Net) components when it's executed on Windows...
http://www.php.net/com
http://www.php.net/dotnet

Now, if you want to 'obfuscate' and deliver binaries you can also write your own extension (but most people don't want to load binary-only stuff, and most webhosts simply don't allow it either...)
http://pecl.php.net
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

You could use an encoded script (using zend encoder or one of it's many rivals).
Post Reply