[OWASP_PHPSEC] Need Help understanding framework

rahul chaudhary rahul300chaudhary400 at gmail.com
Fri Aug 23 15:03:45 UTC 2013


1) But when you are keeping "file" as static prefix...how will any
developer know that they have to create a folder named "file" where they
have to keep the static data.....and moreover since the developer can
change the static prefix...shouldn't this go in a "config file".

Now I have understood the overall framework.....what to do next ?? (I
believe that static scanner is done)....
Also I am having doubts on the question that how are we going to mix all
our libraries to contribute to the framework.....give me example of lets
say a session library...we have a stand alone library...now what should I
do to incorporate this session library in our framework ??


On Fri, Aug 23, 2013 at 12:36 PM, Abbas Naderi <abiusx at owasp.org> wrote:

> 1. so that urls such as http://example.com/ourapp/file/img1.png are
> handled statically.
> 2. you have keen eyes. the TRUE means that I'm passing classnames as
> strings instead of objects.
> -A
> ______________________________________________________________
> *Notice:** *This message is *digitally signed*, its *source* and *
> integrity* are verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On Shahrivar 1, 1392, at 8:52 AM, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>
> 1) But you have defined "$staticPrefix" as "file".....why this string
> "file" ???
>
> 2) The description of "is_a()" function in PHPDoc says the same....but the
> problem is the third argument which is TRUE.....what is this third
> argument...
>
> also I see that when you have called the is_a function , you are not
> passing it an object but you are passing it the class name.....how does
> that tells if its a subclass of "Controller" or "defaultController" ???
>
>
> On Thu, Aug 22, 2013 at 11:00 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>> Very good questions.
>> 1. Static content, are static files, not dynamic content. They do not
>> require a running program to generate output. CSS/JS/IMG/etc files are
>> static contents, as well as static html files. Usually the web server
>> (apache) handles them, but handling them via the framework is much more
>> secure, and allows for authorization and etc.
>>
>> 2. is_a checks whether an object is a (instance of) a class. if B derives
>> from A, B is a A, and A is a A.
>> -A
>>      ______________________________________________________________
>> *Notice:** *This message is *digitally signed*, its *source* and *
>> integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display
>> a file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com <http://abiusx.com/>
>>
>> On Mordad 31, 1392, at 9:05 PM, rahul chaudhary <
>> rahul300chaudhary400 at gmail.com> wrote:
>>
>> ok....two doubts in "front controller":
>>
>> 1) In function start()   Line 61: if
>> (substr($Request,0,strlen(self::$StaticPrefix)+1)==self::$StaticPrefix.
>> "/") //static requset
>>
>> What os static rrequest, Why is the static prefix set to "file" and how
>> does this helps us in handling the application.
>>
>>
>> 2) in function startContoller(), I am having trouble understanding the
>> usage of is_a() function: Can you help me understand this function ???
>> Basically tell me what is the third option "TRUE" ??
>> if (is_a($class, __NAMESPACE__."\\Controller",true))
>>
>>
>> On Wed, Aug 21, 2013 at 6:32 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>
>>> Start handles the front controller, and starts the appropriate
>>> controller based on routes.
>>>
>>> Routes define which URL(s) should be handle by whch controllers.
>>> -A
>>>      ______________________________________________________________
>>> *Notice:** *This message is *digitally signed*, its *source* and *
>>> integrity* are verifiable.
>>> If you mail client does not support S/MIME verification, it will display
>>> a file (smime.p7s), which includes the X.509 certificate and the signature
>>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>> AbiusX.com <http://abiusx.com/>
>>>
>>> On Mordad 30, 1392, at 4:51 PM, rahul chaudhary <
>>> rahul300chaudhary400 at gmail.com> wrote:
>>>
>>> yes yes...I know that...but there is a function called start and
>>> matchRoutes....those two are difficult to understand... :(
>>>
>>>
>>> On Wed, Aug 21, 2013 at 5:50 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>
>>>> It is almost correct. There is no rigid definition of borders in these
>>>> three concepts.
>>>> FrontController is in charge of receiving all requests sent to an
>>>> application, and dispatching them to the correct controllers.
>>>> -A
>>>>
>>>>      ______________________________________________________________
>>>> *Notice:** *This message is *digitally signed*, its *source* and *
>>>> integrity* are verifiable.
>>>> If you mail client does not support S/MIME verification, it will
>>>> display a file (smime.p7s), which includes the X.509 certificate and the
>>>> signature body.  Read more at Certified E-Mail with Comodo and
>>>> Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>>> AbiusX.com <http://abiusx.com/>
>>>>
>>>> On Mordad 30, 1392, at 4:45 PM, rahul chaudhary <
>>>> rahul300chaudhary400 at gmail.com> wrote:
>>>>
>>>> Hello All,
>>>>
>>>> Here is what I learned about MVC. There are two ways to make a
>>>> web-application. One way is to create with haste and without planning...and
>>>> another is to create the application with proper planning.
>>>>
>>>> MVC is the second type.
>>>>
>>>> In MVC, there are three main components....controller, model and view.
>>>> A controller is used to mediate controls between model and view. It also
>>>> interprets commands and passes control between model and view.
>>>>
>>>> E.g:
>>>> Lets say there is a bank site. So, obviously, there is a DB. There are
>>>> web-pages and there are charts, graphs etc. To divide an application
>>>> properly, MVC states that you keep all your components in the "view" part
>>>> that shows the output. In our bank application, suppose a user requests a
>>>> slip of its bank details. Then the server would return some data such as
>>>> account number, available balance etc. The role of view is to show this
>>>> data in a proper format. View is also responsible for showing information
>>>> in different formats such as same information can be shown in bar charts as
>>>> well as pie charts....this is the role of view to show data in different
>>>> formats if requested.
>>>>
>>>> The model part is business logic. So you will keep all files that
>>>> actually manage your application. For e.g. a user requests their details,
>>>> then what information is to be given, authorization of users, transactions
>>>> etc....these all components must be kept in the "model". It is also obvious
>>>> that access to the application's DB is also made from inside "model". So,
>>>> in our bank application, if the user is requesting some data from the
>>>> server, then that request must be handled by the "model" part.
>>>>
>>>> The controller is what takes the request and decides how to process it.
>>>> E.g: a user says they want a bank slip. This request will be received by
>>>> the controller. The controller will pass this request to model. The model
>>>> will generate the data and will pass back to the controller. The controller
>>>> will then pass this generated data to the "view". The "view" will then
>>>> generate an output and will then give it back to the controller. The
>>>> controller will send this data back to the user.
>>>>
>>>> *So, guys please tell me if anything is wrong.*
>>>>
>>>> Now in our framework, I understand what is going on (overall). But my
>>>> doubt is with controller. There is a "front controller" in our application
>>>> inside "_core" folder. I am still trying to understand that fully. Rest I
>>>> have understood. Will update you guys on my findings later on this.
>>>>
>>>> Thanks.
>>>>
>>>>
>>>> On Sat, Aug 17, 2013 at 9:33 AM, rahul chaudhary <
>>>> rahul300chaudhary400 at gmail.com> wrote:
>>>>
>>>>> Congratulations Abbas, great news!!!
>>>>>
>>>>>
>>>>> On Sat, Aug 17, 2013 at 2:31 AM, Abbas Naderi <abiusx at owasp.org>wrote:
>>>>>
>>>>>> Ok
>>>>>> Sorry for the vague code! I wanted to polish it more but my US visa
>>>>>> got ready and I'm in the process of moving to US, thats why I left it at
>>>>>> that (not so) fragile state.
>>>>>> loader.php is the environment setup file. It makes the framework work
>>>>>> properly whether its called from command line or the web. Basically
>>>>>> everything that comes from the environment to the framework is set here.
>>>>>> front.php is the FrontController. To know what that is, you need to
>>>>>> learn more about the MVC model. After that, drop another email and describe
>>>>>> it to others, and I can then describe the extended pull MVC model.
>>>>>>
>>>>>> Controller is an abstract class, because the application developer
>>>>>> should create controllers that extend it.
>>>>>>
>>>>>> DefaultController is a controller that handles a bunch of requests,
>>>>>> not just one. Basically each controller is assigned to a single URI, e.g
>>>>>> app/user/login. One might want to have a default controller to control a
>>>>>> lot of requests, e.g
>>>>>> app/posts/post-one-hello-world
>>>>>> app/posts/how-i-started-this
>>>>>>
>>>>>> and everything at app/posts/* to be handled by a single controller.
>>>>>> Those are handled by a default (catch) controller.
>>>>>>
>>>>>> routes define which URI is handled by which controller. everything
>>>>>> outside _core folder is a sample application, and not a necessary part of
>>>>>> the framework (except for files in config folder which are required for
>>>>>> framework configuration, e.g database credentials).
>>>>>>
>>>>>> -Abbas
>>>>>>      ______________________________________________________________
>>>>>> *Notice:** *This message is *digitally signed*, its *source* and *
>>>>>> integrity* are verifiable.
>>>>>> If you mail client does not support S/MIME verification, it will
>>>>>> display a file (smime.p7s), which includes the X.509 certificate and the
>>>>>> signature body.  Read more at Certified E-Mail with Comodo and
>>>>>> Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>>>>>> AbiusX.com <http://abiusx.com/>
>>>>>>
>>>>>> On Mordad 25, 1392, at 11:22 PM, rahul chaudhary <
>>>>>> rahul300chaudhary400 at gmail.com> wrote:
>>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>> I need help understanding the overall structure of framework that
>>>>>> Abbas created.
>>>>>>
>>>>>> This is what I have understood this far:
>>>>>>
>>>>>> There is a folder called _core:
>>>>>> 1) There is a file called "autoloader.php" which loads all the core
>>>>>> classes in PHPSEC and then defines path to all other classes. It provides
>>>>>> functions to load any class within framework or PHPSEC.
>>>>>> 2) "Loader.php" prepares the HTTP Requests prior to calling
>>>>>> front.php. E.g setting baseURL
>>>>>> *3) "front.php"---> this is the main doubt. It says that it handles
>>>>>> the application. But handling means what ? What are controllers. Because
>>>>>> Controller class is just an abstract class and DefaultController is also
>>>>>> not that descriptive that I can deduce what is does ?*
>>>>>>
>>>>>> Other classes such as routes.php or default.php...I understand their
>>>>>> meaning not fully but up to like 80%......so can someone please explain me
>>>>>> what is framework about and what is it doing ? (Or you can just point me to
>>>>>> some link...I will learn from there..)
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Rahul Chaudhary
>>>>>> Ph - 412-519-9634
>>>>>>  _______________________________________________
>>>>>> OWASP_PHP_Security_Project mailing list
>>>>>> OWASP_PHP_Security_Project at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Rahul Chaudhary
>>>>> Ph - 412-519-9634
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Rahul Chaudhary
>>>> Ph - 412-519-9634
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>>
>>
>>
>
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130823/b001a622/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list