RE: [fw-general] Zend_Filter_Input...
You can use $this-_getParam('key', 'default'); in a Controller, because _getParam() use the Request-getParam() method, which tries first to load the param from the url, then from $_GET and after this from $_POST. If $this-_getParam() looks at the URL, GET and POST isn't it a potential security issue to use it for POST variables since you don't know exactly where your input variables are coming from? Seems rather similar to $_REQUEST to me which should also be avoided for similar reasons - http://shiflett.org/articles/ideology A quick look at the (nicely growing) manual it seems you can do the following which does the job nicely for POST variables: $myVar = $this-getPost('name'); (See API docs / Zend_Controller_Request_Http for more) There do seem to be a lot of methods that return variables from GET, POST, COOKIE, etc. I think it would be a good idea to mention the security implications of depending on these in the manual.. Si
Re: [fw-general] How to create a new issue?
You have to request posting permissions by email use the following link to mail for permission http://www.nabble.com/user/SendEmail.jtp?type=postpost=9600436i=0 Be sure to mention your account name cheers Tom Niko Sams wrote: Hello, This may sound stupid, but I can't create a new issue in the Zend Framework Issue Tracker. someone else had this problem too: http://framework.zend.com/wiki/display/ZFDEV/Issue+Tracker+Etiquette?focusedCommentId=19252#comment-19252 I have registered and logged in successfully, but I can't find the Create New Issue link. this doesn't work either: http://framework.zend.com/issues/secure/CreateIssue!default.jspa please help! niko -- View this message in context: http://www.nabble.com/How-to-create-a-new-issue--tf3446224s16154.html#a9610615 Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] How to create a new issue?
Niko Sams schreef: Hello, This may sound stupid, but I can't create a new issue in the Zend Framework Issue Tracker. someone else had this problem too: http://framework.zend.com/wiki/display/ZFDEV/Issue+Tracker+Etiquette?focusedCommentId=19252#comment-19252 I have registered and logged in successfully, but I can't find the Create New Issue link. this doesn't work either: http://framework.zend.com/issues/secure/CreateIssue!default.jspa please help! niko To report an issue or comment on an existing issue, you must email your JIRA account name to [EMAIL PROTECTED], and ask for posting privileges. Spammers forced us to use this new approval process. -- Andries Seutens http://andries.systray.be Gecontroleerd op virussen door de JOJO Secure Gateway.
Re: [fw-general] [Zend][Controller][Action] unsetParam() and some suggestions
-- Shekar C Reddy [EMAIL PROTECTED] wrote (on Wednesday, 21 March 2007, 09:34 PM -0400): 1. Perhaps, the setParam() method could be enhanced to unset/blow-off the key if the value passed is null... We don't want any keys with null values lingering around - that would increase complexity as we have to deal with null values! I know getParam() returns default null if the key does not exist but when I invoke getAllParams() to traverse the array, I may end up with some keys that have null values :( Or maybe, with a third/default $unset argument if the value passed is null, like so: Signature: _setParam( $key, $value, $unset = false ) Usage: _setParam( $key, null, true ) [if $value = null $unset = true, blow off the key] Good plan. I'll implement this soon. 2. Understandable. I did not request to eliminate the getRequest/getResponse methods - they are there to serve as an API to external objects. What I was referring to was invoking of these methods inside Zend_Controller_Action class script to access the protected request/response vars that are declared/defined right inside the same class. That would degrade performance (you may try load-testing the application). These vars could, instead, be accessed directly inside Zend_Controller_Action script: Eg: $this-_request-setParam( ... ) The point of accessors is to normalize access to properties. Using the properties directly within methods such as render(), _forward(), etc. could cause issues later for those who *do* override the getRequest()/getResponse() accessors -- basically, we'd be breaking *other* people's apps. As a performance optimization, typically what I do is, if needing the property more than once, I grab it like this: $request = $this-getRequest(); which will cut down on the number of times it's retrieved by the accessor. This is the only concession I'll make in this regard. On 3/21/07, Matthew Weier O'Phinney [EMAIL PROTECTED] wrote: -- Shekar C Reddy [EMAIL PROTECTED] wrote (on Wednesday, 21 March 2007, 06:00 AM -0400): 1. There is no method to unset a param in action controller or its request class. We need a unsetParam() method in action/request. You can always pass a null to setParam(): $this-setParam('someKey', null); The controller parameters are not really intended to be a general purpose storage mechanism; they're primarily for pushing values and objects from the front controller down through the controller chain (router, dispatcher, action controllers). I personally feel that if you're needing something like that, use a Zend_Config object in read/write mode and push it in either the registry or as a controller param. 2. I see usage of getRequest() and getResponse() methods inside the action class although these vars are sitting right inside the class itself (protected $_request, $_response) that can be accessed directly instead of invoking a method to access them. Accessing them directly inside the action class should improve performance. This is true. However, the accessors are there for cases where the developer may want to wrap some logic around retrieving these objects -- perhaps grabbing them from a registry, for instance. That said, when I know that there's no such logic in classes I'm using, I access them directly from the class properties. -- Matthew Weier O'Phinney PHP Developer| [EMAIL PROTECTED] Zend - The PHP Company | http://www.zend.com/ -- Matthew Weier O'Phinney PHP Developer| [EMAIL PROTECTED] Zend - The PHP Company | http://www.zend.com/
Re: [fw-general] Trouble with setControllerDirectory() in 0.9.0Beta
Thanks, Alexander When switching to modules everything is on track again - your suggestions worked, and I could get it running again. However, I still miss the functionality that 0.8.0 had, which enabled me to add multiple directories that will be searched for controllers. I'm going to start a new thread to address this specific issue, as the current issue I was having was solved by using the predefined modular structure. Thank you, Werner Alexander Netkachev wrote: On 3/21/07, *Werner* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hello, fellow ZF users I ran into trouble with setControllerDirectory() when switching from 0.8.0 to 0.9.0Beta. The following worked fine in 0.7.0 to 0.8.0: $frontController-setControllerDirectory( array( './src/admin/con', './src/con' ) ); $routePageHandler = new Zend_Controller_Router_Route( ':section/:task/:identifier/:subidentifier', array( 'section' = 'home', 'task' = 'view', 'identifier'= '', 'subidentifier' = '', 'controller'= 'page', 'action'= 'index' ) ); $router-addRoute('*', $routePageHandler); $routeAdminHandler = new Zend_Controller_Router_Route( 'admin/:section/:task/:identifier/:subidentifier', array( 'section' = 'login', 'task' = 'view', 'identifier'= '', 'subidentifier' = '', 'controller'= 'admin', 'action'= 'admin' ) ); $router-addRoute('admin', $routeAdminHandler); $frontController-setRouter($router); $frontController-dispatch(); I changed the setControllerDirectory params to the following in 0.8.0, and it still seemed to work: $frontController-setControllerDirectory( array( 'default' = './src/con', 'admin' = './src/admin/con' ) ); 1. The code above specifies that you have two modules 'default' and 'admin'. So you have controllers of /src/admin/con in admin module. That also means that controllers class names should be prefixed with Admin_, e.g. Admin_IndexController so please check this. 2. I think that you have the error because $routeAdminHandler does not specify a module the request should be passed to. So, the 'default' is used, not 'admin'. Just add 'module' = 'admin' to the parameters. Sincerely, -- Alexander http://www.alexatnet.com/ - Blog and CMS created with Zend Framework and Ajax.
[fw-general] Multiple ControllerDirectory paths
Hi! I want to specify multiple controller directories that should all be searched for controllers. I want to do this without deploying any predefined modular directory structures - just multiple paths for controllers (whether modules will be used or not). However, when specifying any additional directory path it seems like the first path is overwritten by the last specified path. E.g, is it possible to make something like this work...? $controller-throwExceptions(true) -setRouter($router) -setBaseUrl($baseUrl) -setControllerDirectory('/my/first/path') // Default directory -addControllerDirectory('/my/second/path') // Another directory -addControllerDirectory('/my/third/path'); // Yet another directory Any ideas, hint or tips on how to achieve this? Thank you for your time, Werner
Re: [fw-general] How to search multiple phrases using Zend_Search
Hi David, You have to retrieve text from MS-Word documents by yourself now. It would be good to have possibility for Word documents indexing, but Zend_Search_Lucene can only parse HTML documents - http://framework.zend.com/manual/en/zend.search.html#zend.search.index-creation.html-documents With best regards, Alexander Veremyev. [EMAIL PROTECTED] wrote: Alexander Veremyev, Thank you very much. I noticed that in the document of other languages, this feature was not mentioned. And another question. I have a lot of MS Word files, and I need to search them(just the text content). How could Zend_Search support this function or solve my question in any other way? Thanks in advance. David Linkfirst Solutions,Shanghai 2007-03-22 - Original Message - From: Alexander Veremyev [EMAIL PROTECTED] To: Partout [EMAIL PROTECTED] Cc: fw-general@lists.zend.com Sent: Monday, March 05, 2007 3:10 PM Subject: Re: [fw-general] How to search multiple phrases using Zend_Search Hi, Yes, it can. Use: --- My cool phrase1 AND My cool phrase2 AND --- or --- +My cool phrase1 +My cool phrase2 --- or --- My cool phrase1 OR My cool phrase2 OR --- or --- My cool phrase1 My cool phrase2 --- Take a look at query language description - http://framework.zend.com/manual/en/zend.search.query-language.html With best regards, Alexander Veremyev. Partout wrote: I need to get the results by searching several phrases, for example, phrase Software Engineer and phrase Telecom Related both. Could Zend_Search support this? And if it couldn't, how could I find the way to solve this? Thanks a lot in advance. View this message in context: How to search multiple phrases using Zend_Search http://www.nabble.com/How-to-search-multiple-phrases-using-Zend_Search-tf3346301s16154.html#a9305652 Sent from the Zend Framework mailing list archive http://www.nabble.com/Zend-Framework-f15440.html at Nabble.com.
Re: [fw-general] Wildcards routes and reset parameter
Olivier Sirven wrote: (...) I have tried to add the reset parameter to true but then I don't have any parameter at all, just /: echo $this-url(array('key1' = 'newvalue'), 'root', true); Is it a bug or a feature? It's more a bug than a feature. Fixed with commit 4715. Good catch, thanks :) If this is a feature, is there a way to assemble a wildcard route without taking into account the current parameters? There is another way to reset parameters. You can leave $reset as false but pass 'var' = null to assemble if you wish to reset specific url variables only. -- Martel Valgoerad aka Michal Minicki | [EMAIL PROTECTED] | http://aie.pl/martel.asc =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Idleness is not doing nothing. Idleness is being free to do anything. -- Floyd Dell
[fw-general] Feature-Request for Zend_Translate
Hy fellows, a user in the general list had an idea for simplification for Zend_Translate. Background is to increase readability and simplification of Zend_Translate by making it possible to autoecho the translation. Please see related issue ZF-1096. http://framework.zend.com/issues/browse/ZF-1096 As Zend_Translate is a class which is also used within the view to output the translated content this issue would not break the MVC Pattern in my opinion. We would like to collect opinions from others than Alex and me as we have different opinions for this issue ;-) We hope to get enough opinions, to make a decission before 0.9.1 or 0.9.2 to have this included or declined before 1.0. So please give us feedback ;-) Greetings Thomas I18N Team Leader
Re: [fw-general] Question about Zend_Filter_Input
Hi Thomas, Zend_Filter_Input has been deprecated and is no longer available - as you've noticed the current methodology is to set up filter or validator chains and pass in an element from $_POST, which of course means you need to run your isset() check to avoid the index error. Other possible options are using controller methods like Zend_Controller_Request_Http::getPost() which runs an isset() check though it's still verbose. In the future there should be proposals for improved chaining of $_POST so there's less individual handling of $_POST elements such as this. I also hope it's configurable so I can avoid the setup almost entirely - ;). Until then however - we're all in the same boat. The new classes are a big improvement design wise, so while it's making more work it opens vastly superior solutions in the future not possible with Zend_Filter_Input. It should be a price well paid for the long term gains. Paddy Pádraic Brady http://blog.astrumfutura.com http://www.patternsforphp.com - Original Message From: Thomas Eriksson [EMAIL PROTECTED] To: fw-general@lists.zend.com Sent: Wednesday, March 21, 2007 10:29:59 PM Subject: [fw-general] Question about Zend_Filter_Input !-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;font-family:Times New Roman;} a:link, span.MsoHyperlink {color:blue;text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple;text-decoration:underline;} span.E-postmall17 {font-family:Arial;color:windowtext;} _filtered {margin:70.85pt 70.85pt 70.85pt 70.85pt;} div.Section1 {} -- Hi What happened with the Zend_Filter_Input functions? I had this in my bootstrap file (index.php) Zend::register('post', new Zend_Filter_Input($_POST), false); Zend::register('get', new Zend_Filter_Input($_GET), false); And then I used that to filter input made by the user like this… $imaId = trim($post-noTags('imaId')); This was really good because if the imaId in the form that was submitted were an unchecked checkbox I didn’t get an error… But if I know use… Zend_Loader::loadClass('Zend_Filter_Striptags'); $filterChain = new Zend_Filter(); $filterChain-addFilter(new Zend_Filter_Striptags()); $imaId= $filterChain-filter($_POST['imaId']); I get a error notice out of this…Notice: undefined index imaId …and so on… Anybody who can help how to do this without having to use…isset($_POST[“…”]) everywhere? Regards /Thomas Now that's room service! Choose from over 150,000 hotels in 45,000 destinations on Yahoo! Travel to find your fit. http://farechase.yahoo.com/promo-generic-14795097
[fw-general] Re: [fw-db] A common pattern for instantiation of alternative classes by an object.
Matthew Ratzloff wrote: This would be a nice idea for a generalized component that would apply to all classes, but unfortunately you can't do it. For example, this doesn't work: $object = new Zend_Delegate::getClassName('Zend_Example'); It has to be in two steps: $class = Zend_Delegate::getClassName('Zend_Example'); $object = new $class; And it's downright impossible for static classes unless you use call_user_func() or call_user_func_array(): $class = Zend_Delegate::getClassName('Zend_Example'); call_user_func(array($class, 'method')); // Works $class::method(); // Syntax error There was no intention of it being used for static classes. It is purely a generalisation or a standard practice for classes that instantiate objects, and allow the class of these new objects to be changed. Zend_Db_Table_Abstract has these methods that manage this: setRowClass(); getRowClass(); setRowsetClass(); getRowsetClass(); Also, Zend_Db_Adapter_Abstract can currently generate Zend_Db_Profiler and Zend_Db_Select objects, but provides no way of selecting alternative implementations or subclasses of these. My proposal is to provide a generic way of allowing any class that has this behaviour to allow the user to set the class of these objects before they are instantiated. It's all about instantiation, so static access isn't an issue. If we went along the global registration route, using Zend_Db_Adapter_Abstract for example: public function select() { return new Zend_Db_Select($this); } becomes: public function select() { $class = Zend_Factory::getClass(__CLASS__, 'select'); return new $class(); } Then we can register an alternative/subclass of Zend_Db_Select using something like: Zend_Factory::setClass('Zend_Db_Adapter_Abstract', 'select', 'MyAlternativeSelect'); then everytime we call $adapter-select(), an instance of MyAlternativeSelect is returned rather than Zend_Db_Select. This would eliminate the need for get/set*Class() style methods in each class. - Mark.
[fw-general] Re: [fw-mvc] Render-method question
Hi Jörg, You could likely add such behaviour if you wanted by subclassing the Zend_Controller_Action class - actually you do quite a lot of setup tasks using subclassing. Since render() is a public method, you can subclass Action and add your own version to meet any requirements you wish. I wouldn't really recommend it for the core class however - there's already a View object and while some proxy methods are a welcome addition the more they are added to the less the core class starts to look like an independent entity. Pádraic Brady http://blog.astrumfutura.com http://www.patternsforphp.com - Original Message From: Jörg Sandkuhle [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 22, 2007 10:35:34 AM Subject: [fw-mvc] Render-method question Hello! I have a suggestion to the new Zend_Controller_Action-render() method. Wouldnt it be nice to pass additional parameter to the render method for the view ? e.g. public function render($action = null, $name = null, $noController = false, $params=array()). So you dont have to instantiate the view in an action befor you can pass parameter to it. ?php . public function errorAction() { $this-initView(); $this-view-errorMessage = Login or password is wrong! $this-render(); } . ? Or did i missed something? Regards Jörg Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097
Re: [fw-general] Multiple ControllerDirectory paths
-- Werner [EMAIL PROTECTED] wrote (on Thursday, 22 March 2007, 01:44 PM +0200): I want to specify multiple controller directories that should all be searched for controllers. I want to do this without deploying any predefined modular directory structures - just multiple paths for controllers (whether modules will be used or not). However, when specifying any additional directory path it seems like the first path is overwritten by the last specified path. E.g, is it possible to make something like this work...? $controller-throwExceptions(true) -setRouter($router) -setBaseUrl($baseUrl) -setControllerDirectory('/my/first/path') // Default directory -addControllerDirectory('/my/second/path') // Another directory -addControllerDirectory('/my/third/path'); // Yet another directory Any ideas, hint or tips on how to achieve this? This functionality was ditched prior to 0.8.0 as it added too much overhead, and won't be added again anytime soon. Basically, keeping track of a stack of directories *per* *module*, and then having to search each *set* of directories for a controller was very resource intensive, for very little benefit. If you need several directories of controllers all in the same namespace, you might want to try using symlinks or consolidating. Alternatively, you can implement your own dispatcher and front controller -- you'd need to override the front controller's add/setControllerDirectory() methods, and the dispatcher's getControllerName() method. -- Matthew Weier O'Phinney PHP Developer| [EMAIL PROTECTED] Zend - The PHP Company | http://www.zend.com/
Re: [fw-general] Zend_Filter_Input...
-- Pádraic Brady [EMAIL PROTECTED] wrote (on Thursday, 22 March 2007, 03:36 AM -0700): In agree with you Simon - if we have too many sources for input variables, some of which check varying sources in priority it's just another $_REQUEST situation where these values could conceivably come from anywhere. It's better practice to use a method which selects values from a known source on the basis if it comes from anywhere else unexpectedly it should ring a few alarm bells for the developer. I'd actually call it first line filtering/validation - if we know a value should be received via POST then if the same value is retrievable from GET it should be ignored unless it's for a valid reason. Please remember that Zend_Controller_Request_* was built to help with routing and dispatching -- which is why getParam() pulls from a variety of sources (when determining how to route a request, the salient input could come from a variety of sources -- the path, query parameters, post parameters, etc.). It was never intended as a general-purpose object for input filtering -- that's a goal for a later iteration, which will still need to account for the variety of sources when dealing with routing. - Original Message From: Simon R Jones [EMAIL PROTECTED] To: Zend Mailing List fw-general@lists.zend.com Sent: Thursday, March 22, 2007 8:13:19 AM Subject: RE: [fw-general] Zend_Filter_Input... You can use $this-_getParam('key', 'default'); in a Controller, because _getParam() use the Request-getParam() method, which tries first to load the param from the url, then from $_GET and after this from $_POST. If $this-_getParam() looks at the URL, GET and POST isn't it a potential security issue to use it for POST variables since you don't know exactly where your input variables are coming from? Seems rather similar to $_REQUEST to me which should also be avoided for similar reasons - http://shiflett.org/articles/ideology A quick look at the (nicely growing) manual it seems you can do the following which does the job nicely for POST variables: $myVar = $this-getPost('name'); (See API docs / Zend_Controller_Request_Http for more) There do seem to be a lot of methods that return variables from GET, POST, COOKIE, etc. I think it would be a good idea to mention the security implications of depending on these in the manual.. -- Matthew Weier O'Phinney PHP Developer| [EMAIL PROTECTED] Zend - The PHP Company | http://www.zend.com/
Re: [fw-general] Multiple ControllerDirectory paths
Thanks Matthew Extending the front controller will do the trick nicely. Ditching the multiple directory support in favor of performance is also not something I will complain about :-) The nice thing about ZF is that it can easily be extended, so I'll take that route for this specific project. Thanks again, Werner Matthew Weier O'Phinney wrote: -- Werner [EMAIL PROTECTED] wrote (on Thursday, 22 March 2007, 01:44 PM +0200): I want to specify multiple controller directories that should all be searched for controllers. I want to do this without deploying any predefined modular directory structures - just multiple paths for controllers (whether modules will be used or not). However, when specifying any additional directory path it seems like the first path is overwritten by the last specified path. E.g, is it possible to make something like this work...? $controller-throwExceptions(true) -setRouter($router) -setBaseUrl($baseUrl) -setControllerDirectory('/my/first/path') // Default directory -addControllerDirectory('/my/second/path') // Another directory -addControllerDirectory('/my/third/path'); // Yet another directory Any ideas, hint or tips on how to achieve this? This functionality was ditched prior to 0.8.0 as it added too much overhead, and won't be added again anytime soon. Basically, keeping track of a stack of directories *per* *module*, and then having to search each *set* of directories for a controller was very resource intensive, for very little benefit. If you need several directories of controllers all in the same namespace, you might want to try using symlinks or consolidating. Alternatively, you can implement your own dispatcher and front controller -- you'd need to override the front controller's add/setControllerDirectory() methods, and the dispatcher's getControllerName() method.
[fw-general] ZF 0.8.0
Could someone send me the ZF 0.8.0? I will start with it, cause there is no tutorial for ZF 0.9.0... Best Regards, José
[fw-general] CLA procesing time?
Hi, I was just wondering how long it takes to process the CLAs? I submitted mine a couple of days ago and not heard anything yet. Cheers, Jack -- View this message in context: http://www.nabble.com/CLA-procesing-time--tf3448016s16154.html#a9616288 Sent from the Zend Framework mailing list archive at Nabble.com.
[fw-general] How to configure this route
Hi, I don't see how to implements this structure : /application /controllers /models /views /my_module /controllers IndexController.php /admin IndexController.php /models /admin /views /admin I write this, and I don't see where to say that the controller directory fot the route : /my_module/admin is : /application//my_module/controllers/admin Thanks for your help $router = new Zend_Controller_Router_Rewrite(); $route = new Zend_Controller_Router_Route( my_module/admin/, array( controller= 'index', action=index ) ); $router-addRoute(admin,$route); $controller = Zend_Controller_Front::getInstance(); $controller-setControllerDirectory(array( 'default' = CONTROLLERS_PATH, 'qualix' = HOME_PATH . 'application/qualix/controllers/', )); $controller-setRouter($router); $controller-throwExceptions(true); $controller-dispatch();
Re: [fw-general] Zend_Filter_Input...
Hopefully getParam will be unified with the rest of the get* methods in Zend_Request, and this all wont be a problem. - Original Message - From: Simon R Jones [EMAIL PROTECTED] To: fw-general@lists.zend.com Sent: Thursday, March 22, 2007 10:34 AM Subject: RE: [fw-general] Zend_Filter_Input... It was never intended as a general-purpose object for input filtering -- that's a goal for a later iteration, which will still need to account for the variety of sources when dealing with routing. That's fine, just as long as new users always use $_POST or getPost() to retrieve POST variables so they know where they are coming from. Just something that may be worth highlighting in the manual for 1.0 - Presumably there will be/is a small section saying where to get various things when using the Router (i.e. URL parameters, GET vars, POST vars)? best wishes, Si
Re: [fw-general] A common pattern for instantiation of alternative classes by an object.
In that case, you might as well make it a true factory and just have: return Zend_Delegate::factory('Zend_Controller_Request_Http', $parameters); which queries Zend_Delegate for any user-specified delegates and instantiates them. Defining delegates would be specified like this: Zend_Delegate::setDelegate('Zend_Controller_Request_Http', 'My_Controller_Request_Http'); There's no need to limit it solely to Zend_Db. Any instantiated class in the framework could be overridden from the bootstrap (so long as its method signatures matched). This is actually something I'm currently doing in one of my projects, in a slightly different way (because no delegating is taking place internally in Zend Framework). This then would only need to be used with internal code, or for extensibility-minded open-source developers releasing code based on Zend Framework. So code-completion concerns aren't so much an issue for the broader user base. Also, it probably would be better to just have it at a class-level, not a method level. Users can just extend a class and add or modify a single method if they need to. -Matt On Thu, March 22, 2007 4:34 am, Mark Gibson wrote: There was no intention of it being used for static classes. It is purely a generalisation or a standard practice for classes that instantiate objects, and allow the class of these new objects to be changed. Zend_Db_Table_Abstract has these methods that manage this: [...] public function select() { $class = Zend_Factory::getClass(__CLASS__, 'select'); return new $class(); } Then we can register an alternative/subclass of Zend_Db_Select using something like: Zend_Factory::setClass('Zend_Db_Adapter_Abstract', 'select', 'MyAlternativeSelect');
Re: [fw-general] Zend_Filter_Input...
-- Ed Finkler [EMAIL PROTECTED] wrote (on Thursday, 22 March 2007, 01:27 PM -0400): On 3/22/07, Matthew Weier O'Phinney [EMAIL PROTECTED] wrote: Please remember that Zend_Controller_Request_* was built to help with routing and dispatching -- which is why getParam() pulls from a variety of sources (when determining how to route a request, the salient input could come from a variety of sources -- the path, query parameters, post parameters, etc.). It was never intended as a general-purpose object for input filtering -- that's a goal for a later iteration, which will still need to account for the variety of sources when dealing with routing. That security considerations are not part of the initial implementation, but something added later in the process, is in and of itself worrisome. There's a heavy amount of filtering going on in the router and dispatcher -- that's where the security is residing for this implementation. Zend_Controller_Request_Abstract has *no* methods for interacting with the environment whatsoever -- simply accessors for setting parameters and module/controller/action values. The HTTP version is designed to pull information out of the HTTP environment in order to aid routing and dispatch tasks; this includes the path, query string parameters, post variables, cookies, and more. Again, the point was not for general purpose consumption by userland scripts. However, since it is made accessible by the action controllers (in order to allow things like action forwarding), many have used it for pulling data in much the way $_REQUEST has been used in the past. Once I realized people were using the request object in order to pull GET and POST data -- instead of accessing those superglobals themselves, or using a proxy such as Zend_Filter_Input, I realized that this would be a security vector. However, without stable validation/filtering classes ready, this simply could not be addressed properly. Now that they are, we can begin addressing this. This is why I mentioned that it will be dealt with in a later iteration. Any solution will need to remain backwards compatible with the current API, however. This should not be difficult due to the nature of the accessors. -- Matthew Weier O'Phinney PHP Developer| [EMAIL PROTECTED] Zend - The PHP Company | http://www.zend.com/
Re: [fw-general] Zend_Filter_Input...
getParam should, imho, return params only, if theres need for routing for cacaded stuff then maybe a getInput or similar. You shouldn't be able to override post data with a param, or, at least thats not how the fw should be recommending apps be built using getParam like $_REQUEST. If you get rid of the $_request-like way of getParam, then the validation question of origin becomes less problematic. Anyone using getParams etc should already be validating the type of data (as it's from userland) with Zend_Validate/Zend_Filter, and/or putting a regexp on the route. However, my response was in response to That's fine, just as long as new users always use $_POST or getPost() to retrieve POST variables so they know where they are coming from. If you change getParams, this problem goes away completely. Kevin - Original Message - From: Matthew Weier O'Phinney [EMAIL PROTECTED] To: fw-general@lists.zend.com Sent: Thursday, March 22, 2007 10:59 AM Subject: Re: [fw-general] Zend_Filter_Input... -- Kevin McArthur [EMAIL PROTECTED] wrote (on Thursday, 22 March 2007, 11:36 AM -0700): Hopefully getParam will be unified with the rest of the get* methods in Zend_Request, and this all wont be a problem. I fail to see how this is even related to the discussion. The request you had earlier this week was to have getParam(null) return the entire list of params, vs. having a getParams() method -- what does this have to do with input filtering? Additionally, getParam() right now looks through several arrays: * internal param store (usu. set by the router from the request uri) * $_GET params * $_POST params The reason for this is that information necessary for routing can be found in each of these, and if not found in one should cascade down through the others until found (if available). Note: getUserParam()/getUserParams() return just the internal param store. To normalize the API, I will definitely consider modifying getParam() and getUserParam() to accept a null argument to return the entire arrays, and then remove getParams() and getUserParams(). But I'm not sure that these changes address the input filtering discussion. - Original Message - From: Simon R Jones [EMAIL PROTECTED] To: fw-general@lists.zend.com Sent: Thursday, March 22, 2007 10:34 AM Subject: RE: [fw-general] Zend_Filter_Input... It was never intended as a general-purpose object for input filtering -- that's a goal for a later iteration, which will still need to account for the variety of sources when dealing with routing. That's fine, just as long as new users always use $_POST or getPost() to retrieve POST variables so they know where they are coming from. Just something that may be worth highlighting in the manual for 1.0 - Presumably there will be/is a small section saying where to get various things when using the Router (i.e. URL parameters, GET vars, POST vars)? -- Matthew Weier O'Phinney PHP Developer| [EMAIL PROTECTED] Zend - The PHP Company | http://www.zend.com/
Re: [fw-general] Bug in Table/Abstract and more
Ya I noticed the sequence issues, but running 8.1 the defaults (now 0.9.0) work right. I wonder, is there a way to set the sequence name and if not maybe there should be... K - Original Message - From: Teemu Välimäki [EMAIL PROTECTED] To: fw-general@lists.zend.com Sent: Thursday, March 22, 2007 1:29 PM Subject: [fw-general] Bug in Table/Abstract and more Hi, with 22 day snapshot Db/Table/Abstract.php on line 399 return $this-_db-lastInsertId(); should apparently give $this-_name as a parameter, otherwise the call will always fail. lastInsertId has a $tableName = null and the first thing is if (!$tableName) throw. After I fixed line 399 with $this-_name I got sequence does not exists error. On Db/Adapter/Pdo/Pgsql.php on line 202 there's a huge assumption how the sequence is formed. With 8.2 auto generated sequences are named like {$tableName}_{$tableName}_{$primaryKey}_seq. After fixing these all seem to work well. I'm not sure if this automatic sequence creation is defined in Postgresql configurations but this has been the setup on FreeBSD 6.2 and *buntu 6.10. Cheers!
[fw-general] How to create my own exception handler method ?
Hey :) Im traying to make my own exception handler, I set a global exception handler function, set_exception_handler( 'exceptionHandler' ), to deal with the throw Exception() command, so when the Exception jumps to this function I want to show all the Exception information into a view, but how to redirect this data to a view ? I mean, how to call a Controller there ? this function is defined on the bootstrap index.php, so I try to do something like that: Define a global method to deal with the exceptions, this method is on the bootstrap index.php. In this function I make a Zend::loadClass( 'ExceptionHandler' ); this class is where Im going to send an email or something and off course show some Exceptions attributes, like the line of the error and stuff like that. But cause this class is not part of the framework I can't never load a controller to instance an action there an then show this information into a view. Somebody can help me on this ? Thx.
Re: [fw-general] How to create my own exception handler method ?
Here is code from CMS of my site: function errorHandler($errno, $errstr, $errfile, $errline) { throw new Exception($errstr, $errno); } set_error_handler('errorHandler'); ... skip initialization code try { $front-dispatch(); } catch (Exception $e) { if ($e instanceof Zend_Controller_Dispatcher_Exception) { $front-setRequest(new Zend_Controller_Request_Http(MYSPHERE_URL . '/error/error404')); $front-dispatch(); } elseif ('debug' == $config-mode) { throw $e; } else { $front-setRequest(new Zend_Controller_Request_Http(MYSPHERE_URL . '/error/error500')); $front-dispatch(); } } Sincerely, On 3/22/07, Juan Felipe Alvarez Saldarriaga [EMAIL PROTECTED] wrote: Hey :) Im traying to make my own exception handler, I set a global exception handler function, set_exception_handler( 'exceptionHandler' ), to deal with the throw Exception() command, so when the Exception jumps to this function I want to show all the Exception information into a view, but how to redirect this data to a view ? I mean, how to call a Controller there ? this function is defined on the bootstrap index.php, so I try to do something like that: Define a global method to deal with the exceptions, this method is on the bootstrap index.php. In this function I make a Zend::loadClass( 'ExceptionHandler' ); this class is where Im going to send an email or something and off course show some Exceptions attributes, like the line of the error and stuff like that. But cause this class is not part of the framework I can't never load a controller to instance an action there an then show this information into a view. Somebody can help me on this ? Thx. -- Alexander http://www.alexatnet.com/ - Blog and CMS created with Zend Framework and Ajax.
Re: [fw-general] Tutorial Zend Framework and Smarty
Consider the following: * Primitus application: http://framework.zend.com/wiki/x/hw0, now available in SVN. * http://akrabat.com/zend-framework-tutorial/ * External Resources - Tutorials, Articles, and Examples: http://framework.zend.com/wiki/x/q Sincerely, On 3/22/07, José de Menezes Soares Neto [EMAIL PROTECTED] wrote: Friends, I am looking for two tutorials that helps me to: - Use Zend Framework - Integrate ZF and Smarty Best regards, José de Menezes -- Alexander http://www.alexatnet.com/ - Blog and CMS created with Zend Framework and Ajax.
Re: [fw-general] getting-started-with-the-zend-framework_124.pdf
Hi, 1. Probably it is better to address this issue to the author of the tutorial... 2. It would be nice to narrow down the problem and create example that shows a problem and this example should be as small as possible. Sincerely, Alex On 3/22/07, José de Menezes Soares Neto [EMAIL PROTECTED] wrote: Hi, I am following this tutorial. And I am getting this error for redirecting: *Fatal error*: Uncaught exception 'Zend_Controller_Response_Exception' with message 'Cannot send headers; headers already sent' in D:\www\projeto\lib\Zend\Controller\Response\Abstract.php:240 Stack trace: #0 D:\www\projeto\lib\Zend\Controller\Response\Abstract.php(125): Zend_Controller_Response_Abstract-canSendHeaders(true) #1 D:\www\projeto\lib\Zend\Controller\Action.php(607): Zend_Controller_Response_Abstract-setRedirect('/projeto/', 302) #2 D:\www\projeto\application\controllers\IndexController.php(143): Zend_Controller_Action-_redirect('/') #3 D:\www\projeto\lib\Zend\Controller\Action.php(392): IndexController-deleteAction() #4 D:\www\projeto\lib\Zend\Controller\Dispatcher\Standard.php(211): Zend_Controller_Action-dispatch('deleteAction') #5 D:\www\projeto\lib\Zend\Controller\Front.php(750): Zend_Controller_Dispatcher_Standard-dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http)) #6 D:\www\projeto\index.php(44): Zend_Controller_Front-dispatch() #7 {main} thrown in * D:\www\projeto\lib\Zend\Controller\Response\Abstract.php* on line *240* ** Could someone help me?
Re: [fw-general] Zend_Filter_Input...
Well, my point was that because any of those can be manipulated (POST, GET, COOKIE, etc.), selecting from a specific source can lead to a false sense of added security. Better to make your application capable of reliably accepting data from any source and acting on it appropriately. In other words, to deal with user data as if it had come from a single source: the user. -Matt On Thu, March 22, 2007 3:27 pm, Pádraic Brady wrote: np ;), but isn't that the same or a related point I reiterated? Yes, developers should be aware data can come from anywhere, which also makes it important they know to narrow down access methods to eliminate unexpected ones - standard security practice. Surely that was always the problem of using $_REQUEST in preference to deliberately selecting one of $_POST, $_GET, $_COOKIE. Just as improperly relying on getParam (since it's currently an accessible public method) instead of getPost hides where the data came from, adding an unnecessary element of risk which today we see in CSRF vectors. All I intended to note (sorry if my wording was obscure!) was using a multi-source method was bad practice. I have bad habit I think of stating the obvious across a page of text :). Yep, definitely bad. Also, I wish I understood or had read more about the Request object. It was my impression the Request object was not solely intended for controller logic. I guess I misinterpreted its uses since it seemed a natural fit for any standard Request object - really should note the distinction in the manual because it should be avoided if that's the case. Or maybe I should read the manual more often in case it already is! Pádraic Brady http://blog.astrumfutura.com http://www.patternsforphp.com - Original Message From: Matthew Ratzloff [EMAIL PROTECTED] To: Zend Framework General fw-general@lists.zend.com Sent: Thursday, March 22, 2007 6:23:47 PM Subject: Re: [fw-general] Zend_Filter_Input... [I]f we have too many sources for input variables, some of which check varying sources in priority it's just another $_REQUEST situation where these values could conceivably come from anywhere. The data DOES come from anywhere. Data is not somehow more secure if it is POST. POST variables can be manipulated with only slightly more difficulty in a browser than modifying the query string, and when using something like cURL or Zend_Http_Client the difference is insignificant. Data should be checked not only for well-formedness (e.g., correct data type) but also for validity and access rights. Whatever filtering solution is created post-1.0, it is not going to be a comprehensive solution unless used in combination with Zend_Validate, Zend_Auth, and Zend_Acl. Most PHP developers either don't understand this, don't care about this, or their development timeline is paced so ridiculously short that they don't have time to deal with it. Most of the time it's one of the first two. In the third case, I've had to show clients numerous times how easy it is to get into supposedly secure web applications, just to show how important it is to get it right. You would be surprised how little difficulty you encounter when trying to gain access to supposedly secure web systems because of attitudes like it comes from POST, therefore it's more secure. Not trying to pick on you, Simon and Pádraic. :-) But I would actually PREFER that developers always be aware that their data can come from anywhere, just so they stay paranoid. -Matt On Thu, March 22, 2007 3:36 am, Pádraic Brady wrote: In agree with you Simon - if we have too many sources for input variables, some of which check varying sources in priority it's just another $_REQUEST situation where these values could conceivably come from anywhere. It's better practice to use a method which selects values from a known source on the basis if it comes from anywhere else unexpectedly it should ring a few alarm bells for the developer. I'd actually call it first line filtering/validation - if we know a value should be received via POST then if the same value is retrievable from GET it should be ignored unless it's for a valid reason. Pádraic Brady http://blog.astrumfutura.com http://www.patternsforphp.com - Original Message From: Simon R Jones [EMAIL PROTECTED] To: Zend Mailing List fw-general@lists.zend.com Sent: Thursday, March 22, 2007 8:13:19 AM Subject: RE: [fw-general] Zend_Filter_Input... You can use $this-_getParam('key', 'default'); in a Controller, because _getParam() use the Request-getParam() method, which tries first to load the param from the url, then from $_GET and after this from $_POST. If $this-_getParam() looks at the URL, GET and POST isn't it a potential security issue to use it for POST variables since you don't know exactly where your input variables are coming from? Seems rather similar to $_REQUEST to me which should also be avoided for similar
[fw-general] problem for zend_feed
Hi,there i met a problem when i produce a rss feed.How can i encode the entry title?If the entry title contain the char,a warning would occure. *Warning*: DOMDocument::createElement() [function.DOMDocument-createElementhttp://www.fzfz.com/rss/function.DOMDocument-createElement]: unterminated entity reference Regards, Jacky