Not planned Prevent direct add-on access to the database

P

psTubble27

Well-known member
Add-ons create sql tables they need for their usage. When they are uninstalled however, there can remain orphan sql tables.

Instead all database access should filter through the XF engine. The addon would invoke a function like xen_create_table("tablename"). This would allow XF to keep track of all add-on created tables, and when uninstalled, to clean up those tables automatically.

In the ideal world, uninstalling 100 add-ons would leave the database in the same pristine state as if they were never installed.

The primary benefit of this feature is that if the add-on is unneeded, or presents a security risk, its data can be gotten rid of without technical hassle.
 
Upvote 0
This suggestion has been closed. Votes are no longer accepted.
psTubble27 said:
Also, if this database object can be read by any add-on, am I correct in assuming that it is one huge security breach waiting to happen (again, coming from the JVM and the PC protected memory world)?
Click to expand...
From a cynical POV, yes. But then, you're letting Trojen Horses enter your forum, so you have only yourself to blame.

While the community responds quickly to potentially malicious code, you are still required to manually check the code from addons you wish to use before using it should you be on the suspecting side.
 
Biker said:
Of course, we all know how secure that model is. Hasn't been a java exploit in years. Oh. Wait.....
Click to expand...
I know :) I'm only talking about the model and not buggy implementations. The protected memory model in the PC world is similar, and the User-based access model in *nix and recent Windows is also extremely similar.


tyteen4a03 said:
you are still required to manually check the code from addons you wish to use before using it should you be on the suspecting side.
Click to expand...
That's the hugely important point I'm discovering because of this thread. I don't believe it has been emphasized enough in the online world. I see what you're saying. PHP is still in the 'cooperative multitasking' mould of the early PCs.
 
Last edited:
psTubble27 said:
PHP is still in the 'cooperative multitasking' mould of the early PCs.
Click to expand...

There's nothing wrong with that. People shouldn't be installing addons without first checking to see what it actually does, and never, ever on a live site without testing it first.

There are addon authors that I trust implicitly. There are others that I would have to check the code and test first. And then there's the last group who'll I'll never use.
 

Similar threads

BubbaLovesCheese
  • Question Question
XF 2.1 How to copy vBulletin database with MySql Workbench?
Replies
5
Views
1K
Chromaniac
Chromaniac
NootSponge
  • Suggestion Suggestion
Lack of interest Add CLI flag to build add-on without needing a full XF environment
Replies
0
Views
503
NootSponge
NootSponge
Live Free
  • Question Question
XF 1.5 Upgrade Planning: Data Preservation & Third Party Add-Ons
Replies
5
Views
1K
Live Free
Live Free
RobinHood
  • Suggestion Suggestion
Duplicate Change the reaction menu on mobile from long press to tap
Replies
6
Views
519
Kirby
K
RobinHood
  • Suggestion Suggestion
Create an onboarding framework to introduce new users how to use the forum and add-ons
Replies
4
Views
7K
RobinHood
RobinHood
Top Bottom