"Security is a process, not a product" Bruce Schneier

A new book on Zend Framework 1.8

Posted: November 12th, 2009 | Author: | Filed under: Books | Tags: , , , , , , | 2 Comments »

I’m reading the new book of Keith Pope, “Zend Framework 1.8, web application development” of PackT Publishing and my first impression is very good!

Zend Framework 1.8 - Web Application DevelopmentThis book introduces the Zend Framework (ZF) using a direct approach to build a real web application in depth, in particular an e-commerce web site (you can download the source code of this application from the PackT web site).
In my opinion this is a very good approach because the main difficulties when you start a new php application using the ZF and in general the MVC paradigm are: how to structure the application, where to write the code, how to build the models, etc.

I guess this is one of the first book about the new version 1.8 of ZF. As you know starting from the version 1.8 the team of ZF has introduced the Zend_Application class to easly manage the configuration and the bootstrap phase of the application using a .ini file. The usage of the Zend_Application is showed in the Chapter 3 of the book.

Especially useful is the part of Model design in the Chapter 4, where the author shows step by step how to build a model and why. For instance the author presents the Model of a Product showing the balance between the Controller and the Model, and the general rules to follow: code reuse, controller readability, maintainability, etc.

I’m glad to the author to have inserted the Chapter 12 about testing the application using PHPUnit. This is a very important part of every software developing life cycle and sometimes in the real life someone forgot to test! Me too, i’m honest :)

In conclusion I strongly suggest this book if you are interested in developing php web applications using the Zend Framework, whether you are a newbie or and experienced ZF developer.

For more information about this book you can go to the publisher web site here.

Refactoring the ZF Secure Login example with Zend_Application

Posted: October 22nd, 2009 | Author: | Filed under: Zend Framework | Tags: , , , , | 17 Comments »

In this post i’m going to refactoring the ZF Secure Login application, that i provided in my previous post, using the new Zend_Application class, out from the version 1.8 of Zend Framework.

Here you can find the source of the new application (12 Kb)

From the Reference Guide of ZF: “Zend_Application provides a bootstrapping facility for applications which provides reusable resources, common- and module-based bootstrap classes and dependency checking. It also takes care of setting up the PHP environment and introduces autoloading by default.”

Using this class I arranged the new application with some structural changes. In particular I modified the application folder with the following directories: configs, controllers, forms, layouts, models, plugins, views.
In the configs folder i provided an application.ini where i reported all the parameters of the application.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

[production]
phpSettings.display_startup_errors = 0
phpSettings.display_errors = 0
includePaths.library = APPLICATION_PATH "/../library"
bootstrap.path = APPLICATION_PATH "/Bootstrap.php"
bootstrap.class = "Bootstrap"
resources.frontController.controllerDirectory = APPLICATION_PATH "/controllers"
resources.layout.layout = "layout"
resources.layout.layoutPath = APPLICATION_PATH "/layouts"
resources.frontController.plugins[] = "App_Plugin_SessionCheck"
resources.db.adapter = "PDO_MYSQL"
resources.db.params.host = "localhost"
resources.db.params.username = "root"
resources.db.params.password = 
resources.db.params.dbname = "zf_example"
resources.session.namespace= "SecureLogin"
auth.active= on
auth.timeout= 60
password.salt= "df7hsKJ3284sdhfj33BC"
 
[staging : production]
 
[testing : production]
phpSettings.display_startup_errors = 1
phpSettings.display_errors = 1
 
[development : production]
phpSettings.display_startup_errors = 1
phpSettings.display_errors = 1

As you can see the application.ini is splitted into 4 different sections: production, staging, testing and development.
These sections are related to the different scenarios where to run the application.
In the production section you can find all the configuration data of the application, like the db parameters, the name of the bootstrap class, the layout path and the frontControllers plugin, etc (in this case the plugin is the SessionCheck that I used in the Initializer class of the previous architecture).

For the folders: controllers, layouts, models and views I provided the same structure of the previous architecture. So nothing is changed in their files.
The new two directories are forms and plugins. In the forms folder I provided an App_Form_Login class to manage the login Zend_Form. In the plugins folder I put the front controller plugin, named App_Plugin_SessionCheck, to manage the authentication.
In the previous architecture of the project i used the plugin Initializer with the method checkSession.
As you can notice almost all the classes of the application starts with App_ to indicate the applications folder. This looks much better for maintenance reason, to reach the classes more easly.

So basically the main difference of this new application, from an architectural point of view, are represented by the folder application, with the subfolder configs, forms and plugins.
The other differences are in the bootstrap phase. In this application the public index.php contains the following source:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

// Define path to application directory
defined('APPLICATION_PATH')
    || define('APPLICATION_PATH', realpath(dirname(__FILE__) . '/../application'));
 
// Define application environment
defined('APPLICATION_ENV')
    || define('APPLICATION_ENV', (getenv('APPLICATION_ENV') ? getenv('APPLICATION_ENV') : 'production'));
 
// Ensure library/ is on include_path
set_include_path(implode(PATH_SEPARATOR, array(
    realpath(APPLICATION_PATH . '/../library'),
    get_include_path(),
)));
 
/** Zend_Application */
require_once 'Zend/Application.php';  
 
// Create application, bootstrap, and run
$application = new Zend_Application(
    APPLICATION_ENV,
    APPLICATION_PATH . '/configs/application.ini'
);
$application->bootstrap()
            ->run();

Basically an include path and an instance of the Zend_Application class with the application.ini to be used.
The other main difference is rappresented by the Bootstrap.php file located under the application folder.
This file contains the following source:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

class Bootstrap extends Zend_Application_Bootstrap_Bootstrap
{
    protected function _initModuleAutoloader ()
    {
        $al = new Zend_Application_Module_Autoloader(array('namespace' => 'App' , 'basePath' => dirname(__FILE__)));
    }
    protected function _initView ()
    {
        // Initialize view
        $view = new Zend_View();
        $view->doctype('XHTML1_STRICT');
        $view->headTitle('ZF Secure Login');
        // Add it to the ViewRenderer
        $viewRenderer = Zend_Controller_Action_HelperBroker::getStaticHelper('ViewRenderer');
        $viewRenderer->setView($view);
        // Return it, so that it can be stored by the bootstrap
        return $view;
    }
 
    protected function _initSession ()
    {
        $options = $this->getOptions();
        $session = new Zend_Session_Namespace($options['resources']['session']['namespace']);
        Zend_Registry::set('session', $session);
    }
 
}

Here we defined the view structure of the application and the initialization of the Session.
With this new architecture all the resources, accross different classes, can be accessed using the Zend_Registry class.
We don’t use the Globals.php class anymore. This class, in the previuos architecture, contained the singletons entities used along all the application classes. I discovered that using a Global class you can become crazy to provide Unit Testing and in general to debug an application.

To reach the configuration data, from a controller, I used the method getInvokeArg(‘bootstrap’)->getOptions(), for instance in the loginAction of the IndexController I retrieved the value of the auth.timeout of the application.ini using this piece of code:

1
2

$options= $this->getInvokeArg('bootstrap')->getOptions();
$this->view->form = new App_Form_Login($options['auth']['timeout']);

Moreover in this new application I simplify the security using the rand auto value of the token in the Zend_Form_Element_Hash. I used only a single salt value to improve the security of the md5 password stored into the table user of the MySQL database. In this way I provided a separation from the data of the database and the application. In this case if someone breaks into the database and not the application is not able to decrypt the password stored into the db. In the previous post i used different salt for every password but i stored it into the same db table.
The passwords are stored into the database using the MySQL statement ‘MD5(CONCAT(salt,password))’ where salt is the value stored into the password.salt of application.ini and password is the plain text of the password to store.

In conclusion the new application, using the Zend_Application class, seems to be much more structured, much more configurable with the use of the application.ini file, and last but not least we have to write less code, and this is the best part for a developer :)