Architecture

vaaaska

I've created a really simplistic architecture for dealing with many different variations within a section. It's easier to explain with a url:

http://www.thesite.com/cms/?a=pages&q=edit&id=123

Now, pages are called up dynamically as referenced by '$a'. $a represents a folder name.

BUT, if a user tries to input a value for $a that is not the in an array of allowed values they will be sent back to a default folder (home). So, the question which will arise, are my $_GET values being validated...the answer is 100%.

Now, the '$q' value does not relate to folders or files, but rather to functions. $id, obviously is deal with within the function, etc. And this is where my question sort of begins - let me post some code (this is roughly what is found in the 'index' page for each folder):

	// no peeping toms allowed
	if (!defined('SITE')) exit;


// section security is first...
// if they don't have permission they get an error page
$go['scrty'] = $access->secSecurity('content',$user['ID'],'content');


// submits go up here...
// whatever you desire...
if (isset($_POST['addRecord'])) {
	fout('sbmtNew',$_POST);
}

if (isset($_POST['save_x'])) {
	fout('sbmtUpdate',$_POST);
}

// check for registered page/function (see below)
// if the function doesn't exist they get a default
doesExist($go['q']);


// register your pages here
function index()
{
	echo fout('pageMenu',NULL);
}

function edit()
{
	echo fout('pageEdit',NULL);
}

First of all, I boiled this down some so as to be brief. There is some more validation on $_GET's that happens at the beginning of the script.

The next thing that will look strange is 'fout' and/or 'fin'. It means function IN and function OUT. These functions are callback functions that go and get only what need for the script to execute. I became really obsessed with lightness of things (and also for the reason that if all of this is wrong I can easily recompile the architecture at a later time).

This page acts as a switchboard to everything within a section/folder - pages and submits. It's working plenty fast but since I've never quite done something to this scale I'm not very confident what what's at hand here. So, I'm seeking some advice (based upon what you see here - if it's possible).

I think the biggest outstanding issue here is how I've dealt with submits. While I like the ease of setting them up this way, I wonder how easy this might be to crack. In each of the submits there is a function that asks if the person is actually logged in and has the correct permission for that particular action - if not, they get booted out.

Ok, I hope this is somehow enough to explain my thoughts on this subject. Thanks for any advice.

PS: If anybody would like to see this in action send me a PM. If I know who you are and I trust you I'll get back to you...

thorpe

i think your in the wrong forum maybe.... this is for complete working code to be reviewed.

anyway... i dont see anything wrong with the way you've gone about things. aslong as everything is validated, and has some sort of default apon failure, i think its a great method to use. in fact ive seen many a cms use the same or a simular aprouch.

vaaaska

This is working code, but it's part of a much larger system. I only wanted to post the relevant portion to my question. I think this is the right section.

And yep, I was aware that without some tight validation this is completely useless...

vaaaska

After focusing on this for a little while I realize that $q can call up any active function. That's not good. So, I'll want to either append the function names here or add an extra layer that allows only the few functions that should be usable here.

BuzzLY

thorpe wrote:
i think your in the wrong forum maybe.... this is for complete working code to be reviewed.

I think you are misinterpreting, thorpe. This forum is for critique of complete code, period. Granted, there is a fine line between "what do you think of this code snippet" and "how can I fix this code snippet," but I am of the belief that if you think a forum to be the proper place for your post, you're probably right. In this case, it's fine. He's simply asking for opinions on the code he posted. The code does not have to be a complete, standalone application.