I am working towards the goal of a social site, however, being a beginner, I have many questions I need to answer before getting anywhere! One of these is in regards to embedable scripts/ web apps/ widgets. I would like to allow the users of the site to upload web apps or wdigets that can be used on blogs and as standalone apps. However, I'm worried about a few things. 1) security (how to avoid sql injection(this one probably isnt much of a worry), xss etc) and also 2) how to go about storing/hosting. I would like to be able to allow free and paid apps/scripts, but I don't know how to go about the storage of data and hosting. If I let them do it externally that would introduce all kinds of problems, but how do I let them store it locally under my servers.. I would probably be using a cloud hosting service when I am finally ready to launch the site, but that would presumably become expensive. So would I have to set up a verification tool to verify that its okay, or maybe charge them for the costs of hosting it + a fee ? maybe split it into classifications? if its a class A you can get off with a one of payment to host it and either I get a split of the profit of each sale or if its free then I just get the profit from ads and they get to use their web apps? And how will data be stored, is it possible to store many sqlite databases in a mysql database?

Advice would be much appreciated.

p.s I will be using python and django for this site.

3 Years
Discussion Span
Last Post by pwolf

One of these is in regards to embedable scripts/ web apps/ widgets
What do you mean by this? You want to allow users to save their own html/javascript on your site? Upload flash content?

is it possible to store many sqlite databases in a mysql database?
Well ths is interesting... I suppose you could save them as blobs in a mysql database but I really don't see what you would want to do that. Why not just structure the main mysql database(s) so that users can save there?


Hello, sorry for my slow reply!

To answer your questions:

Yes, I would like users to be able to run client side scripts on my site. Users on my site would have profiles and to maximise customization I would like them to be able to create scripts and even provide an api and ways to store data for the creation of apps (something like facebook or chrome apps). I would like to have a section of an eCommerce store for the trade of these apps.

Well I'm still a beginner, but my reasoning would be to provide a layer of abstraction really. Just let them make a web app using my api(or not, depends if they need data I already have) and then can let them store it on my site and database? I want my database to store their application specific database, and determine how much to charge them based on the amount to charge through an automated validation of their database.

However, I'm still just pondering over this idea..

p.s the simplest way to deal with some of these issues would be to let them embed apps as iframes (I think this is how facebook does it?) but that doesn't help with the embeding. Perhaps I could offer facebook style apps and then also some embedable scripts that dont need data storage. I would like users to be able to edit their personal profile space with their own html/css, and be able to add jquery or javascript functionality (like a carousel navigation, or a photo gallery). I am most concerned about validating the apps, as if i let them store it separately that is inviting all kinds of trouble, but then storing it on my own database invites costs.

Edited by pwolf: elaborated on my reasoning


I don't know if this ideea will help you but bu here goes nothing.

To build something secure you will hape to use a server that is yours and use the https protocol.

For your login salt hash your passwords and even md5 encrypt them.

Don't use ajax for posting user sensibile data and don't use cookies to store users passwords use session and be awhere about session hijacking and csrf attacks.
All in all use a phpframework and apply all security filters.

Advantages of nosql mongodb etc is that you will have a database that will scale and you can use multiple computers with it.

Disadavantages are that this type of databse will queue every sql command and write them later to your server.

To permit users to submit code can be a very risky ideea but who about if you create the tools for them like a generator to generate the code and be able to verify and choose what type of code do you want something like a css3 generator.

Or create a sandbox where you verify the code and approve it or disaaprove it depending on what the user submits

Hope this helps


Some of this is intersting and I haven't considered, though most of it I have considered. I should have perhaps mentioned I will be using python and django for this project, not php.

Thank you for your input!


Regardless of your platform, user supplied scripts are fishy. You'd need to check them out IMO. Are you sufficently proficient at being able to check these files for malicious code? What if the script is minified or obfuscated or thousands of lines long? Or even compiled? Allowing Flash? I used a 3rd party script in a Blogger account a few years ago and a couple of weeks later every link on my blog went to a very naughty place. As a result Google will not allow me to use its monetising feature, because I'm a dirty man! He he. I took down the blog but I'm still viewed as a pariah. Security is paramount. Using any 3rd party code is a risk, but allowing unchecked scripts into your site is just asking for trouble.

Edited by diafol


Maybe I should find a way to minimize the risk and allow them to host their own apps or something, and adapt the reputation system to deal with apps as well. Then for the blogging space they can use html5 and some jquery or something, or any javascript so long as there are no hyperlinks or http requests outside of my api?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.