[OWASP_PHPSEC] Need Help understanding framework

Abbas Naderi abiusx at owasp.org
Fri Aug 23 19:47:51 UTC 2013


Unfortunately I'm in the process of moving, and can't think well enough for this. Please think of something yourself and do it :D

______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Aug 23, 2013, at 9:32 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> Once I sent the mail...and I was seeing the "staticContent" function....I realized its use...but thanks for confirming it...:)
> 
> yes..I am checking the jFramework....so till then is there anything that I should do..I was thinking of updating the OWASPs wiki pages.....but if there is any other library that you want me to focus on then please tell...
> 
> 
> On Fri, Aug 23, 2013 at 9:24 PM, Abbas Naderi <abiusx at owasp.org> wrote:
> 1.
> the StaticPrefix is the URI prefix, and does not have a one-to-one relation to filesystem. It is a common misunderstanding because Apache usually maps filesystem to URIs automatically.
> 
> The static contents should be put in the static folder in the framework, and can be accessed via the "file" URI prefix.
> 
> It can be easily changed by adding a line to the config file, FrontController::$StaticPrefix="not/file"
> 
> As for the framework, it requires experience and wisdom. Go through jframework for an example of how a framework handles things.
> -A
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are verifiable.
> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
> 
> On Shahrivar 1, 1392, at 7:33 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
> 
>> 1) But when you are keeping "file" as static prefix...how will any developer know that they have to create a folder named "file" where they have to keep the static data.....and moreover since the developer can change the static prefix...shouldn't this go in a "config file".
>> 
>> Now I have understood the overall framework.....what to do next ?? (I believe that static scanner is done)....
>> Also I am having doubts on the question that how are we going to mix all our libraries to contribute to the framework.....give me example of lets say a session library...we have a stand alone library...now what should I do to incorporate this session library in our framework ??
>> 
>> 
>> On Fri, Aug 23, 2013 at 12:36 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>> 1. so that urls such as http://example.com/ourapp/file/img1.png are handled statically.
>> 2. you have keen eyes. the TRUE means that I'm passing classnames as strings instead of objects.
>> -A
>> ______________________________________________________________
>> Notice: This message is digitally signed, its source and integrity are verifiable.
>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>> 
>> On Shahrivar 1, 1392, at 8:52 AM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> 
>>> 1) But you have defined "$staticPrefix" as "file".....why this string "file" ???
>>> 
>>> 2) The description of "is_a()" function in PHPDoc says the same....but the problem is the third argument which is TRUE.....what is this third argument...
>>> 
>>> also I see that when you have called the is_a function , you are not passing it an object but you are passing it the class name.....how does that tells if its a subclass of "Controller" or "defaultController" ???
>>> 
>>> 
>>> On Thu, Aug 22, 2013 at 11:00 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>> Very good questions.
>>> 1. Static content, are static files, not dynamic content. They do not require a running program to generate output. CSS/JS/IMG/etc files are static contents, as well as static html files. Usually the web server (apache) handles them, but handling them via the framework is much more secure, and allows for authorization and etc.
>>> 
>>> 2. is_a checks whether an object is a (instance of) a class. if B derives from A, B is a A, and A is a A.
>>> -A
>>> ______________________________________________________________
>>> Notice: This message is digitally signed, its source and integrity are verifiable.
>>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>>> 
>>> On Mordad 31, 1392, at 9:05 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>>> 
>>>> ok....two doubts in "front controller":
>>>> 
>>>> 1) In function start()   Line 61: if 
>>>> (substr($Request,0,strlen(self::$StaticPrefix)+1)==self::$StaticPrefix."/") //static requset
>>>> 
>>>> What os static rrequest, Why is the static prefix set to "file" and how does this helps us in handling the application.
>>>> 
>>>> 
>>>> 2) in function startContoller(), I am having trouble understanding the usage of is_a() function: Can you help me understand this function ??? Basically tell me what is the third option "TRUE" ??
>>>> if (is_a($class, __NAMESPACE__."\\Controller",true))
>>>> 
>>>> 
>>>> On Wed, Aug 21, 2013 at 6:32 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>> Start handles the front controller, and starts the appropriate controller based on routes.
>>>> 
>>>> Routes define which URL(s) should be handle by whch controllers.
>>>> -A
>>>> ______________________________________________________________
>>>> Notice: This message is digitally signed, its source and integrity are verifiable.
>>>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>>>> 
>>>> On Mordad 30, 1392, at 4:51 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>>>> 
>>>>> yes yes...I know that...but there is a function called start and matchRoutes....those two are difficult to understand... :(
>>>>> 
>>>>> 
>>>>> On Wed, Aug 21, 2013 at 5:50 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>>> It is almost correct. There is no rigid definition of borders in these three concepts. 
>>>>> FrontController is in charge of receiving all requests sent to an application, and dispatching them to the correct controllers.
>>>>> -A
>>>>> 
>>>>> ______________________________________________________________
>>>>> Notice: This message is digitally signed, its source and integrity are verifiable.
>>>>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>>>>> 
>>>>> On Mordad 30, 1392, at 4:45 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>>>>> 
>>>>>> Hello All,
>>>>>> 
>>>>>> Here is what I learned about MVC. There are two ways to make a web-application. One way is to create with haste and without planning...and another is to create the application with proper planning.
>>>>>> 
>>>>>> MVC is the second type.
>>>>>> 
>>>>>> In MVC, there are three main components....controller, model and view. A controller is used to mediate controls between model and view. It also interprets commands and passes control between model and view.
>>>>>> 
>>>>>> E.g:
>>>>>> Lets say there is a bank site. So, obviously, there is a DB. There are web-pages and there are charts, graphs etc. To divide an application properly, MVC states that you keep all your components in the "view" part that shows the output. In our bank application, suppose a user requests a slip of its bank details. Then the server would return some data such as account number, available balance etc. The role of view is to show this data in a proper format. View is also responsible for showing information in different formats such as same information can be shown in bar charts as well as pie charts....this is the role of view to show data in different formats if requested.
>>>>>> 
>>>>>> The model part is business logic. So you will keep all files that actually manage your application. For e.g. a user requests their details, then what information is to be given, authorization of users, transactions etc....these all components must be kept in the "model". It is also obvious that access to the application's DB is also made from inside "model". So, in our bank application, if the user is requesting some data from the server, then that request must be handled by the "model" part.
>>>>>> 
>>>>>> The controller is what takes the request and decides how to process it. E.g: a user says they want a bank slip. This request will be received by the controller. The controller will pass this request to model. The model will generate the data and will pass back to the controller. The controller will then pass this generated data to the "view". The "view" will then generate an output and will then give it back to the controller. The controller will send this data back to the user.
>>>>>> 
>>>>>> So, guys please tell me if anything is wrong.
>>>>>> 
>>>>>> Now in our framework, I understand what is going on (overall). But my doubt is with controller. There is a "front controller" in our application inside "_core" folder. I am still trying to understand that fully. Rest I have understood. Will update you guys on my findings later on this.
>>>>>> 
>>>>>> Thanks.
>>>>>> 
>>>>>> 
>>>>>> On Sat, Aug 17, 2013 at 9:33 AM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>>>>>> Congratulations Abbas, great news!!!
>>>>>> 
>>>>>> 
>>>>>> On Sat, Aug 17, 2013 at 2:31 AM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>>>> Ok
>>>>>> Sorry for the vague code! I wanted to polish it more but my US visa got ready and I'm in the process of moving to US, thats why I left it at that (not so) fragile state.
>>>>>> loader.php is the environment setup file. It makes the framework work properly whether its called from command line or the web. Basically everything that comes from the environment to the framework is set here.
>>>>>> front.php is the FrontController. To know what that is, you need to learn more about the MVC model. After that, drop another email and describe it to others, and I can then describe the extended pull MVC model.
>>>>>> 
>>>>>> Controller is an abstract class, because the application developer should create controllers that extend it.
>>>>>> 
>>>>>> DefaultController is a controller that handles a bunch of requests, not just one. Basically each controller is assigned to a single URI, e.g app/user/login. One might want to have a default controller to control a lot of requests, e.g
>>>>>> app/posts/post-one-hello-world
>>>>>> app/posts/how-i-started-this
>>>>>> 
>>>>>> and everything at app/posts/* to be handled by a single controller. Those are handled by a default (catch) controller.
>>>>>> 
>>>>>> routes define which URI is handled by which controller. everything outside _core folder is a sample application, and not a necessary part of the framework (except for files in config folder which are required for framework configuration, e.g database credentials).
>>>>>> 
>>>>>> -Abbas
>>>>>> ______________________________________________________________
>>>>>> Notice: This message is digitally signed, its source and integrity are verifiable.
>>>>>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>>>>>> 
>>>>>> On Mordad 25, 1392, at 11:22 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>>>>>> 
>>>>>>> Hello All,
>>>>>>> 
>>>>>>> I need help understanding the overall structure of framework that Abbas created.
>>>>>>> 
>>>>>>> This is what I have understood this far:
>>>>>>> 
>>>>>>> There is a folder called _core:
>>>>>>> 1) There is a file called "autoloader.php" which loads all the core classes in PHPSEC and then defines path to all other classes. It provides functions to load any class within framework or PHPSEC.
>>>>>>> 2) "Loader.php" prepares the HTTP Requests prior to calling front.php. E.g setting baseURL
>>>>>>> 3) "front.php"---> this is the main doubt. It says that it handles the application. But handling means what ? What are controllers. Because Controller class is just an abstract class and DefaultController is also not that descriptive that I can deduce what is does ?
>>>>>>> 
>>>>>>> Other classes such as routes.php or default.php...I understand their meaning not fully but up to like 80%......so can someone please explain me what is framework about and what is it doing ? (Or you can just point me to some link...I will learn from there..)
>>>>>>> 
>>>>>>> -- 
>>>>>>> Regards,
>>>>>>> Rahul Chaudhary
>>>>>>> Ph - 412-519-9634
>>>>>>> _______________________________________________
>>>>>>> OWASP_PHP_Security_Project mailing list
>>>>>>> OWASP_PHP_Security_Project at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> -- 
>>>>>> Regards,
>>>>>> Rahul Chaudhary
>>>>>> Ph - 412-519-9634
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> -- 
>>>>>> Regards,
>>>>>> Rahul Chaudhary
>>>>>> Ph - 412-519-9634
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> Regards,
>>>>> Rahul Chaudhary
>>>>> Ph - 412-519-9634
>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Regards,
>>>> Rahul Chaudhary
>>>> Ph - 412-519-9634
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>> 
>> 
>> 
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
> 
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130824/a77b2810/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list