[nycphp-talk] Not-so-subtle attack on PHP
John Campbell
jcampbell1 at gmail.com
Fri Sep 28 13:35:44 EDT 2007
On 9/28/07, Kenneth Downs <ken at secdat.com> wrote:
> I will claim that putting security
> directly into the database is better than any other way because it does what
> is needed in the end with the least possible work.
I must be missing something. Take a simple social networking
scenario: A user can only see another user's complete profile if and
only if they are mutual friends. Implementing that in the tables
would be a huge pain in the ass and incur a big performance penalty.
Is there some super easy way to implement this that I am missing?
My problem with implementing security in the database, is that it
forces a relationship between data elements and users, where as if you
implement the security layer between the application and the data then
you can write policies that are a function of the data itself.
-Cheers
John Campbell
More information about the talk
mailing list