Re: [phpesp-dev] ideas, wishlist. etc

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Sun, 24 Mar 2002, Matthew Gregg wrote:

> On Sunday, March 24, 2002 James E. Flemer wrote:
>
> > The best solution to this is something you have already
> > suggested -- an install script. The install script, if
> > written, must check to make sure the user will not install
> > the phpESP.ini in a publicly accessible directory,
>
> An install script is surely the way to go.  However I'm not sure it's
> possible for an install script to know what is and what isn't a web
> accessible directory.  We are gonna have to trust the user somewhat.

True, but you can do some pretty good guessing, and if it
looks like a public directory, give a second confirmation
and big warning message.

--snip--
> > I am very glad you mentioned XML. I would actually like to
> > move a large portion of data out of mysql and into XML. I
>
> Are you sure you want to do this?  XML is a great data "interchange"
> mark-up, but generally functions poorly as a data repository, unless you
> have a specialized XMLDB.
> I would put my vote in favor of keeping a SQL based back-end and use
> XML/XLT as presentation/data exchange layer.

Well yes and no. My idea is to use XML internally (in PHP)
and to store the XML in the database. But when a survey was
activated, we would use XSLT to make a (X)HTML rendering of
the survey. This would allow very fast serving of the
survey, since we would eliminate a lot of SQL/DB overhead.
Plus, it is much harder to create a database schema that
will allow for the flexibility of survey design I want (and
that XML allows) ...

--snip--
> > I would like to see an interface to PostNuke first. Note
> > that there are license differences between most of those
> > CMS and phpESP, so phpESP cannot be distributed with them,
> > but I can certainly work with them.
>
> Not that I would distribute ESP with any of the above CMS's, but can you
> explain why ESP can't be?  They are all GPL'd.

phpESP is not GPL, it has a BSD-style license. GPL is a
nasty license, and will not allow you to distribute non-GPL
software with it. The phpESP license allows distributing
one of the above with it, but not vice versa.

--snip--
> > I don't quite follow this. I am assuming you mean removing
> > the step where the user inserts the PHP code into their
> > HTML template file. Naturally that would be ideal, but
> > probably not possible security wise (since the web server
> > executes without user privileges).
>
> This is just off the top of my head, but what's wrong with something like
> this:
>
> <html>
> <body bgcolor="#ffffff">
> <?php $sid=$id; include("/var/www/esp/public/handler.php");?>
> </body>
> </html>
>
> Then called as survey.php?id=3 would show survey with ID 3.

Bad security, the SID should not be seen by the end user,
nor specifiable. Also if one was to use the above code, it
should really read:
  <?php $sid=intval($id); ... ?>

However, there is certainly nothing stopping any end user
from using a script like that. It won't ever be encouraged
by me nor be part of the standard distribution.

-James