tag:blogger.com,1999:blog-12753102.post2922479373767594675..comments2024-03-28T15:41:37.170-04:00Comments on Ben's Journal: Developing Components For Joomla Version 1.0Ben Simonhttp://www.blogger.com/profile/09833753747177544979noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-12753102.post-38302501372671228422008-04-08T08:57:00.000-04:002008-04-08T08:57:00.000-04:00I certainly don't want to get into the position of...I certainly don't want to get into the position of defending Joomla, as I know so little about the system...but...<BR/><BR/>defined(_JEXEC) or die()<BR/><BR/>Seems like a necessary evil with PHP, where every script can run if an attacker knows the URL to do so.<BR/><BR/>From this <A HREF="http://dev.joomla.org/component/option,com_jd-wiki/Itemid,/id,components:hello_world_mvc1" REL="nofollow">hello world component</A>, it looks like the API is relatively clean.<BR/><BR/>But again, what the heck do I know...Ben Simonhttps://www.blogger.com/profile/09833753747177544979noreply@blogger.comtag:blogger.com,1999:blog-12753102.post-63079359176888988292008-04-08T08:14:00.000-04:002008-04-08T08:14:00.000-04:00No, I haven't really looked at version 1.5 yet and...No, I haven't really looked at version 1.5 yet and I don't intend to, really.<BR/><BR/>Your description of the "defined(_JEXEC) or die()" check is a good example of why. If everything really was done purely with clean templating separating the logic out, and putting just classes in non-template PHP files, this is totally unneccessary. If only a class definition is loaded, that can do no harm when you request it directly - same for a template with no logic and just variables that get filled in.<BR/><BR/>Things like this are what I remember from back in the day with 1.0 - the Joomla people seem to be pretty clueless about security in general (just follow any security newsfeed for a bit and you'll know). I'd be surprised if that suddenly turned 180 degrees, so I'm not touching this CMS with a 10 foot pole.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-12753102.post-44451974429356612052008-04-08T07:56:00.000-04:002008-04-08T07:56:00.000-04:00Peter -What you're describing sounds like what I s...Peter -<BR/><BR/>What you're describing sounds like what I saw for 1.0.<BR/><BR/>For 1.5, the docs at least, paint a significantly different picture.<BR/><BR/>Have you played around with 1.5 at all?Ben Simonhttps://www.blogger.com/profile/09833753747177544979noreply@blogger.comtag:blogger.com,1999:blog-12753102.post-45897035113259764392008-04-08T03:24:00.000-04:002008-04-08T03:24:00.000-04:00Honestly, I think the words "Joomla" and "clean" s...Honestly, I think the words "Joomla" and "clean" should never be used in the same sentence.<BR/><BR/>We've used it before and it's a security nightmare. Most of the code is very messy. You say MVC, but what I remember from back when we used it is that it mixed presentation and logic in its templates pretty freely. No MVC in sight! Afaik its HTML output is pretty rigid (often using tables for layout) and hard to style using CSS.<BR/><BR/>Just my $0.02Anonymousnoreply@blogger.com