0

I'm currently building an application framework that I can use with a variety of applications. The framework is written in PHP and has a RESTful API. I want the framework to enable single page applications using a combination of jQuery and my API.

I've looked into backbone.js but the problem I have with it and some others like it is the fact that you're essentially duplicating your business logic in js. Not only does this effectively double the size of your codebase, it also represents a security risk of sorts. By duplicating your business logic in js, you're showing the entire world what your back-end looks like which makes the jobs of malicious users that much easier.

That said I'm certainly not a front-end/js guru and I've really only seriously looked at backbone.js for this. My thinking is that there must be a good way to define dynamic js functions which accomplish essentially the same thing. What I'm looking for is a point in the right direction, even it's telling me how wrong I am.

David Myers
  • 799
  • 1
  • 9
  • 18

2 Answers2

0

If you are using REST to update your model via JSON, you really don't have twice the amount of code in the application. It really depends on how much work you want to do on the client and how much on the server. If you want basic form validation you will have to write it on the client as well as the server.

Duplicating business logic on the client seems like a non issue. Simply submitting invalid data will expose your business rules to a malicious user eventually. Minifying the javascript would go a long way to help deter this, but most of the time you just have simple validation on the client and business rules on the server.

Joshua Dale
  • 1,773
  • 3
  • 17
  • 25
  • Regarding the amount of business logic, I've got an entire set of classes on the back-end and from what I can tell, backbone.js requires you to re-define those same classes on the front-end. As far as the work I want done on the front-end, I want a single page app that is dynamically controlled via js, which is way more complicated than just form validation. And simply submitting invalid data won't expose any of my logic, it just returns errors. – David Myers Apr 21 '12 at 17:25
  • You can always perform validation on the server by calling back to your service through the validate function in the client model. Typically the validate function is used to validate the model, but it can be used more heavily as well. Point being if you want client validation, you need to validate on the client even if that means going to the server to perform the validation. Rolling your own framework won't change this, it will just add complexity for any additional developers that need to work on your project. – Joshua Dale Apr 21 '12 at 22:20
  • I think you've misunderstood what it is I'm trying to do. I'm trying to find a way to achieve a single page application without the use of backbone.js because doing so would require that I duplicate my back-end code in js. Honestly, I'm not even sure what you're talking about in your previous comment. – David Myers Apr 23 '12 at 22:54
0

I am creating and using the following structure for my SPA's: 

├── ajax //~ function calls, posted data must be on the same server
├── html //~ webroot
│   ├── css 
│   ├── fonts
│   ├── images
│   ├── js //~ js files, including jquery,init,functions,admin,etc.
│   └── uploads 
   |_ index.php,.htaccess
├── includes //~ config,functions,router,index.html-the template

This is a SEO-friendly, SPA framework that I think (hope?) is quite secure All ajax calls are verified posted on the originating server I hope that someone sees this and has some insight if I am doing something brazenly wrong

richardwhitney
  • 506
  • 1
  • 6
  • 21