Re: [fw-general] Security - Preventing SQL Injections, XSS etc
oh Matthew Weier O'Phinney mentioned that ... i meant when escaping for SQL this time. vince. wrote: You could use $this-view-escape -- View this message in context: http://www.nabble.com/Security---Preventing-SQL-Injections%2C-XSS-etc-tp23900449p23909053.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend Server + IIS7.5 + Zend Framework (HTACCESS)
anyone uses IIS7 with Zend Framework? iceangel89 wrote: i have installed Zend Server with integration for IIS7.5. now i need to get ZF working... i think i am missing htaccess i am trying to use http://learn.iis.net/page.aspx/460/using-url-rewrite-module/ i dunno if it will work but anyone got ZF to work with IIS? -- View this message in context: http://www.nabble.com/Zend-Server-%2B-IIS7.5-%2B-Zend-Framework-%28HTACCESS%29-tp23889995p23909133.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend Server + IIS7.5 + Zend Framework (HTACCESS)
iceangel89 wrote: anyone uses IIS7 with Zend Framework? iceangel89 wrote: i have installed Zend Server with integration for IIS7.5. now i need to get ZF working... i think i am missing htaccess i am trying to use http://learn.iis.net/page.aspx/460/using-url-rewrite-module/ i dunno if it will work but anyone got ZF to work with IIS? It's actually quite easy: - install the URL-Rewrite-Module - add a web.config to your public folder with the following content ?xml version=1.0 encoding=UTF-8? -- View this message in context: http://www.nabble.com/Zend-Server-%2B-IIS7.5-%2B-Zend-Framework-%28HTACCESS%29-tp23889995p23909345.html Sent from the Zend Framework mailing list archive at Nabble.com.
AW: [fw-general] Zend Server + IIS7.5 + Zend Framework (HTACCESS)
Oops - somewhat is missing. The web.config should look like: ?xml version=1.0 encoding=UTF-8? configuration system.webServer defaultDocument files clear / add value=index.php / /files /defaultDocument rewrite rules clear / rule name=MatchExistingFiles stopProcessing=true match url=^.*$ / conditions logicalGrouping=MatchAny add input={REQUEST_FILENAME} matchType=IsFile pattern= ignoreCase=false / add input={REQUEST_FILENAME} matchType=IsDirectory pattern= ignoreCase=false / /conditions action type=None / /rule rule name=RemapMVC stopProcessing=true match url=^.*$ / conditions logicalGrouping=MatchAll / action type=Rewrite url=index.php / /rule /rules /rewrite /system.webServer /configuration Von: Stefan Gehrig [mailto:geh...@ishd.de] Gesendet: Sonntag, 7. Juni 2009 11:54 An: fw-general@lists.zend.com Betreff: Re: [fw-general] Zend Server + IIS7.5 + Zend Framework (HTACCESS) iceangel89 wrote: anyone uses IIS7 with Zend Framework? iceangel89 wrote: i have installed Zend Server with integration for IIS7.5. now i need to get ZF working... i think i am missing htaccess i am trying to use http://learn.iis.net/page.aspx/460/using-url-rewrite-module/ i dunno if it will work but anyone got ZF to work with IIS? It's actually quite easy: - install the URL-Rewrite-Module - add a web.config to your public folder with the following content _ View this message in context: Re: http://www.nabble.com/Zend-Server-%2B-IIS7.5-%2B-Zend-Framework-%28HTACCESS %29-tp23889995p23909345.html Zend Server + IIS7.5 + Zend Framework (HTACCESS) Sent from the Zend http://www.nabble.com/Zend-Framework-f15440.html Framework mailing list archive at Nabble.com.
Re: [fw-general] Security - Preventing SQL Injections, XSS etc
On Sun, Jun 7, 2009 at 11:12 AM, iceangel89comet2...@gmail.com wrote: oh Matthew Weier O'Phinney mentioned that ... i meant when escaping for SQL this time. Read this first: http://framework.zend.com/manual/en/zend.db.html#zend.db.adapter.quoting Then take a look at this example: http://framework.zend.com/manual/en/zend.db.html#zend.db.adapter.select.fetchassoc Till
[fw-general] How do I get the value of one element in a validator of another element in the same Zend_Form scope?
Hi, I've got a custom Zend_Form with two fields (id and name), which are Zend_Form_Elements. I need to validate the name field. To validate the name field, I need the id field value. I don't know how I can implement this dependency. I think I need to write an own validator for the name element, which will call the getValue() method of the id element in its isValid() method, so that I can validate. But I don't know how to access the id element within the name validator. -- Regards, Thomas
Re: [fw-general] Security - Preventing SQL Injections, XSS etc
-- iceangel89 comet2...@gmail.com wrote (on Saturday, 06 June 2009, 08:51 PM -0700): Matthew Weier O'Phinney-3 wrote: (In 2.0, we will make escaping the default within Zend_View, and require you to explicitly ask for raw data if you don't want escaping.) that will be much better! hmm sometimes if i have a complex query with joins to alot of tables ... and i dont have time to find out whats the ZF way to do things ... can i use $val = escapeSql($this-getRequest()-getParam('username')); // is there a escape SQL function? $db-fetchAll(SELECT * FROM Users WHERE username = ' . $val . ') Each adapter has a quoteInto() method: $sql = $db-quoteInto( 'SELECT * FROM Users WHERE username = ?', $this-getRequest()-getParam('username') ); $results = $db-fetchAll($sql); However, as noted before, it's usually easier and better to use Zend_Db_Select, as it does this basically for you. More on that below. and u meant not just Zend_Db_Select right? u refer to the quoting mechanism. Zend_Db_Select by itself just gives a normal SQL right? is quoteInto()/where() etc that escapes for SQL? what if i need to escape something not in where? maybe in the joins or having or something else? Zend_Db_Select does this for you, as the Select objects are adapter specific. As an example, assuming you are using Sqlite for your database, if you do the following: $select = $db-select(); $select-from(array('u' = 'Users')) -join(array('g' = 'Groups'), 'u.gid = g.id') -where('g.name = ?', $group); you will get the following SQL: SELECT u.*, g.* FROM Users AS u INNER JOIN Groups AS g ON u.gid = g.id WHERE (g.name = 'foo') As you can see, it does the appropriate quoting for the database adapter Read the Zend_Db chapter. If you use the various quoting mechanisms, the insert/update/delte methods, and Zend_Db_Select, you'll be protecting your application quite well from SQL injections. -- Matthew Weier O'Phinney Project Lead| matt...@zend.com Zend Framework | http://framework.zend.com/
Re: [fw-general] Mailing list/wiki for ZF 2.0?
-- mbneto mbn...@gmail.com wrote (on Sunday, 07 June 2009, 12:58 PM -0400): Is there any external ZF list/wiki for 2.0? I am not aware of any timeline of the next ZF releases (1.8.x, 1.9 and 2.0) but since it will introduce some non bc features would be great to have a way to follow it's development. Currently, 2.0 is only in very early planning phases, and you can find the various areas by searching for Zend_Controller 2.0 in the wiki (this will find a page specific to Zend_Controller changes, but that page is the child of a page that is collecting a variety of other component planning pages). Also, subscribe to zf-contribut...@lists.zend.com as some discussion is happening there (and more will happen in the future). I'm working on a roadmap for the various releases, and hope to get some pages up on the main site within the next few weeks so that there can be more insight into how we're scoping the releases. -- Matthew Weier O'Phinney Project Lead| matt...@zend.com Zend Framework | http://framework.zend.com/
[fw-general] Controller flow changes when using render() inside controller action
I have a controller action that picks out what script is going to render. So I use render('scriptname.phtml') inside my action. There is scenario where I have to alter some view scripts and i do that inside controller's postDispatch() method - since i want it for all actions inside that controller. But in combination with the render() inside action, postDispatch() gets executed when view already rendered. If i don't use render() then postDispatch() is executed before the view rendering. My guess is that that is kinda wrong - in a way - since actual rendereing should allways be done at the same point of the execution flow in this case always after postDispatch() - no matter what. Is there a way to only set the name of script to be rendered later? If not then I guess I'll have to handle that on my own with some property of the controller and have some controller plugin with postDispatch() that calls render with that value. ty -- View this message in context: http://www.nabble.com/Controller-flow-changes-when-using-render%28%29-inside-controller-action-tp23915931p23915931.html Sent from the Zend Framework mailing list archive at Nabble.com.
[fw-general] Zend_Application_Bootstrap_Bootstrap and Zend_Log
In the past I usually did this: public static function setupDatabase() { $config = self::$registry-configuration; $db = Zend_Db::factory($config-db-adapter, $config-db-toArray()); $db-query(SET NAMES 'utf8'); self::$registry-database = $db; Zend_Db_Table::setDefaultAdapter($db); // Logger $columnMapping = array('lvl' = 'priority', 'msg' = 'message'); $writer = new Zend_Log_Writer_Db($db, 'log', $columnMapping); $logger = new Zend_Log($writer); self::$registry-logger = $logger; } I setup my Webhosting server to allow Zend_Tool and such. Now I have the Zend_application Bootstrap class. So how do I add an application wide logger like above Thx for any help Eric -- View this message in context: http://www.nabble.com/Zend_Application_Bootstrap_Bootstrap--and-Zend_Log-tp23915940p23915940.html Sent from the Zend Framework mailing list archive at Nabble.com.
[fw-general] New at this -- Can the ZF be used in front of 3rd party applications?
Hello, I'm new to the Zend Framework, and to be honest frameworks in general. I've been running the various pieces of my small company's web site each in their own dedicated directories under the public root on the web server. I'm now looking at building a front end for a more organized web site using the ZF rather than just a loose collection of different applications. I understand that the Controller is what organizes what goes where. I've been told that when using the ZF I should keep as much as possible OUT of the public web directories and not even use the Webserver's configuration aliases. Instead I should use the ZF to point to stuff. So far, applications like DocuWiki sit entirely IN the public area of my web site. So if I access http://website.com/wiki, the DocuWiki application files are all at/below /path/to/public/webroot/wiki. I'm having a hard time grasping the whole MVC approach of the ZF. I still want to end up with the wiki @ http://website.com/wiki, but if I move the files somewhere else, how does the ZF point to them? I learn best if I can tear into an example, so if anyone could comment or reference any good ones, I'd really appreciate the help! From all I've read I'm pretty sure the ZF will help a lot with getting me in the direction I need to go; just need to teach an old dog some new tricks first I suppose. Bob
[fw-general] Zend_Validate_Db_Abstract ineffecttive and expensive?
Hi, I am currently working with Zend_Validate_Db_NoRecordExists. I noticed, that the queries looks like SELECT `$table`.*, `$table`.`$field` FROM ... Isn't the `$table`.* very expensive? I also don't understand why you also query a specific column, when you already selected every column... Is there a way to prevent, that the selection of all columns is being added to the query? -- Regards, Thomas