Jump to content

Transaction order: when to validate, autheniticate


Recommended Posts

This thread is the continuation of an discussion that went on in the 'form validation logic' sticky in PHP Help.


Jenk is arguing that in an application the following transaction ORDER is a fact:

1.) Establish which action is to be taken. (e.g. which page to display)
2.) Authenticate, Filter, Validate and Escape input.
3.) Logic (the 'workings' of your script - including establishing data sources, error handling, etc.)
4.) Display output.

I'm arguing that this is not completely accurate, and at least some authentication should be able to take place before you can properly determin the 'route' (e.g. what logic to execute).

My last compromize:

1) get route
L1a) get requested route
L1b) authenticate
L1c) adjust route if required
2) delegate (processing logic)
L2a) validation
L2b) all other logic
3) send output

Jenk is presenting me with this challenge:

[quote author=Jenk link=topic=36973.msg434771#msg434771 date=1158316733]
I suggest you re-read up on the FrontController pattern.

Ok, let's see you prove your statements. Authenticate the through put from this form:

[code]<form action="index.php" method="post">
<input type="text" name="myfield" size="15" />
<br />
<input type="text" name="myfield2" size="15" />
<br />
<input type="submit" />
</form>[/code]

Authenticate, Validate and Filter that, please.
[/quote]

I can't, because it's not a representation of a request. I can't determin the requested route, nor is there in this case anything to authenticate.

Example of authentication BEFORE routing:

User ip/host combo is on the banned list, adjust routing accoringly.
Thus, the order I posted is correct.. without knowing which action to execute (aka route to take, page to display, logic to execute,) you cannot authenticate anything.

edit: Btw, it's a perfectly normal respresentation of a request. It's just like any other request - it's a form.
[quote author=Jenk link=topic=108162.msg434793#msg434793 date=1158319321]
Thus, the order I posted is correct.. without knowing which action to execute (aka route to take, page to display, logic to execute,) you cannot authenticate anything.
[/quote]

You are again ignoring the difference between the requested and ultimately applied route.
[quote author=Jenk link=topic=108162.msg434797#msg434797 date=1158319616]
No, I'm not.

What I have ignored until now, is that you've changed what you argued and have also put a heavy bias on your OP in this thread ;)
[/quote]

True, I did change my point of view, because it was not on the spot. Niether is yours, yet you persist that it is the only right way/order. I'm a big enough man to admit when I'm wrong and adjust my perspective accordingly.
[quote author=Jenk link=topic=108162.msg434793#msg434793 date=1158319321]
edit: Btw, it's a perfectly normal respresentation of a request. It's just like any other request - it's a form.
[/quote]

No it's not.  <challenge>We can't deduct any route from it. From neither of our perspectives. </challenge>  ;D

[quote author=Jenk link=topic=108162.msg434800#msg434800 date=1158319989]
Have you read up on what Establish means yet? I even gave you a definition in the other thread, of what each step is for.
[/quote]

I must have missed that. And no I don't have clue what you're talking about.  :P

Edit: You aren't talking about this, are you:
[quote=Jenk]
- Determine which action the user has requested, [u]if the user is allowed such action[/u] and serve the appropriate action.[/quote]

Because like I already pointed out it has an 'authentication clause' (I think I'll take that dictionary and put that in there now  :P)...

It consist of three different actions, when extracted, equalling 'my' order!

So I guess (as if I hadn't noticed) this discussion is more about who's right and who's wrong than the actual subject...

But hey I think it's fun.. :P
[quote author=448191 link=topic=108162.msg434801#msg434801 date=1158320329]
[quote author=Jenk link=topic=108162.msg434793#msg434793 date=1158319321]
edit: Btw, it's a perfectly normal respresentation of a request. It's just like any other request - it's a form.
[/quote]

No it's not.  <challenge>We can't deduct any route from it. From neither of our perspectives. </challenge>  ;D
[/quote]Read the source code of the page you are currently viewing (i.e. this one) if you are now going to argue a form is not a valid request.[quote]
[quote author=Jenk link=topic=108162.msg434800#msg434800 date=1158319989]
Have you read up on what Establish means yet? I even gave you a definition in the other thread, of what each step is for.
[/quote]

I must have missed that. And no I don't have clue what you're talking about.  :P

Edit: You aren't talking about this, are you:
[quote=Jenk]
- Determine which action the user has requested, [u]if the user is allowed such action[/u] and serve the appropriate action.[/quote]

Because like I already pointed out it has an 'authentication clause' (I think I'll take that dictionary and put that in there now  :P)...

It consist of three different actions, when extracted, equalling 'my' order!

So I guess (as if I hadn't noticed) this discussion is more about who's right and who's wrong than the actual subject...

But hey I think it's fun.. :P
[/quote]So, have you now finally clicked on what "Establish which Action to take" means? The key word being Establish, not Action..
[quote author=Jenk link=topic=108162.msg434806#msg434806 date=1158321570]
So, have you now finally clicked on what "Establish which Action to take" means? The key word being Establish, not Action..
[/quote]

LOL, you are truly unbelievable...  :P

You only added the definition of 'Establish which Action to take' to hold three totaly separate actions after I told you the 'establishing' should be split TWICE! Plus, it is still incorrect, because it doesn't allow for 'rerouting' upon failure of authentication. I just says: 'we authenticate to check if the action is allowed', but what to do if it is not?
[quote author=Jenk link=topic=108162.msg434840#msg434840 date=1158325257]
Nope, you still need to read the definition of Establish. Save yourself all this headache you keep putting yourself through and go read it..

[b]Establish[/b] which action to take.
[/quote]

es·tab·lish Pronunciation (-stblsh)
tr.v. es·tab·lished, es·tab·lish·ing, es·tab·lish·es
1.
a. To set up; found. See Synonyms at found1.
b. To bring about; generate: establish goodwill in the neighborhood.

So what?
Look what it says: [size=14pt]1.[/size] meaning these are the most common definitions. Don't tell me you had a different definition in mind?  ;D

The universe is relative eh? I guess next you're going to make an argument the world is actually flat as a pancake?  :P
But you still only copied one definition, which is the least relative ;) What point are you trying to make about the commonality of the definition? ???

I'll point you in the correct direction that you continue to ignore.. Establish is also a synonym for Determine.
[quote author=Jenk link=topic=108162.msg434878#msg434878 date=1158328031]
But you still only copied one definition, which is the least relative ;) What point are you trying to make about the commonality of the definition? ???

I'll point you in the correct direction that you continue to ignore.. Establish is also a synonym for Determine.
[/quote]

Is THAT what you were aiming at?  :D  Establish, determin, generate, conclude, call it what you want, that doesn't change my argument at all!

Being this:

[quote=Jenk]- Determine which action the user has requested, if the user is allowed such action and serve the appropriate action.[/quote]

Consist of three different actions, when extracted, equalling 'my' second and third lists' (which had different names for the same actions) order!


On a sidenote, here's what I was intentionally leaving out:  8)
[quote]2.
a. To place or settle in a secure position or condition; install: They established me in my own business.
b. To make firm or secure.
[/quote]

I thought you were going to misuse the secundairy definitions containing the keyword 'secure', claiming that is how you meant it from the start.
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.