Posted by Gordon Burditt on 05/18/07 00:52

>Now it looks like the user will need PHP, web server, and
>MySQL. The user will download a PHP file and run it on their web
>server. The PHP page will have links to include files from my web
>site.

If you expect users to run PHP on their system with off-site include
files, either you're nuts, or your users are nuts. Especially when the
application deals with financial data.

>I think it should work this way, right? No security or
>firewall issues?

Including a PHP file from a site you (the guy running the site, in this
case, your customer) don't own is really, REALLY asking for trouble.

>Only issue here with me is that I run the risk of
>users modifying my PHP and javascript codes. I want to control the
>app from my web site so that if I make changes everyone will get the
>update, even the ones who run the app locally.

So if your site gets infected, so do all your customers. Or if
your DNS gets spoofed somehow so the customer sites go elsewhere
for the include files.

>BTW, I'm developing a financial app so the database will have
>financial information about the user. Most people including myself
>are protective of financial information.

People who are protective of financial information should have run away
screaming halfway through this article.

[Back to original message]