cakephp_os-php-cake4-a4.pdf

Cook up Web sites fast with CakePHP, Part 4: Use

CakePHP's Session and Request Handler

components

Streamline PHP applications

Skill Level: Intermediate

Sean Kelly ( skelly@idsociety.com )

Web Application Developer

ID Society

02 Jan 2007

Updated 22 Jan 2008

CakePHP is a stable production-ready, rapid-development aid for building Web sites

in PHP. This " Cook up Web sites fast with CakePHP " series shows you how to build

an online product catalog using CakePHP.

Section 1. Before you start

Editor's note: This series was originally published in 2006 and 2007. Since its

publication, CakePHP developers made significant changes to CakePHP, which

made this series obsolete. In response to these changes and the popularity of this

series, the authors revised each of its five parts to make it compliant with the version

of CakePHP available in January 2008.

This " Cook up Web sites fast with CakePHP " series is designed for PHP application

developers who want to start using CakePHP to make their lives easier. In the end,

you will have learned how to install and configure CakePHP, the basics of

Model-View-Controller (MVC) design, how to validate user data in CakePHP, how to

use CakePHP helpers, and how to get an application up and running quickly using

CakePHP. It might sound like a lot to learn, but don't worry — CakePHP does most

of it for you.

Use CakePHP's Session and Request Handler components

Page 1 of 25

developerWorks®

ibm.com/developerWorks

About this series

• Part 1 focuses on getting CakePHP up and running, and the basics of

how to put together a simple application allowing users to register for an

account and log in to the application.

• Part 2 demonstrates how to use scaffolding and Bake to get a jump-start

on your application, and using CakePHP's access control lists (ACLs).

• Part 3 shows how to use Sanitize, a handy CakePHP class, which helps

secure an application by cleaning up user-submitted data. It also covers

the CakePHP security component, handling invalid requests, and other

advanced request authentication.

• Part 4 focuses primarily on the Session component of CakePHP,

demonstrating three ways to save session data, as well as the Request

Handler component to help you manage multiple types of requests

(mobile browsers, requests containing XML or HTML, etc.).

• Part 5 deals with caching, specifically view and layout caching, which can

help reduce server resource consumption and speed up your application.

About this tutorial

There are multiple ways of saving session data using CakePHP's Session

component, and each method has its advantages. In this tutorial, you'll learn how to

use the Session component by incorporating all three ways into your application, so

you'll be able to pick the best one that works for you. On top of that, you'll learn how

to use the Request Handler component to aid in your handling of various HTTP

requests, including requests from mobile browsers, or requests containing XML or

HTML content.

This tutorial is divided into two main topics:

• The different types of session handling covered by CakePHP — You will

learn the advantages and disadvantages of each, and how to implement

them.

• How to use the Request Handler in your controllers — We will use it for

two purposes: to add an RSS feed of your products and to implement

Ajax functionality.

Prerequisites

This tutorial assumes you have already completed Part 1 , Part 2 , and Part 3 , and

that you still have the working environment you set up for those tutorials. If you do

not have CakePHP installed, you should run through Parts 1 and 2 before

continuing.

Use CakePHP's Session and Request Handler components

Page 2 of 25

ibm.com/developerWorks

developerWorks®

It is assumed that you are familiar with the PHP programming language, have a

fundamental grasp of database design, and are comfortable getting your hands dirty.

For the section on Ajax, it is also assumed that you have a basic understanding of

Ajax. See Resources for links to help you get started with Ajax.

System requirements

Before you begin, you need to have an environment in which you can work.

CakePHP has reasonably minimal server requirements:

1. An HTTP server that supports sessions (and preferably mod_rewrite ).

This tutorial was written using Apache V2.2.4 with mod_rewrite

enabled.

2. PHP V4.3.2 or later (including PHP V5). This tutorial was written using

PHP V5.2.3

3. A supported database engine. this tutorial was written using MySQL

V5.0.4

You'll also need a database ready for your application to use. The tutorial will

provide syntax for creating any necessary tables in MySQL.

The simplest way to download CakePHP is to visit CakeForge.org and download the

latest stable version. This tutorial was written using V1.2.0. Nightly builds and copies

straight from Subversion are also available. Details are in the CakePHP Manual (see

Resources ).

Section 2. Tor, so far

Up to now, you have used CakePHP to create a simple application for managing

products and dealers. In Part 1, you gained an understanding of the MVC paradigm.

In Part 2, you used the powerful component of scaffolding to easily develop a

framework for your application. You finished Part 3 with a number of projects to

improve Tor. The first was to sanitize your data.

What to sanitize

When you sanitized your data, you probably noticed that most of the user input so

far is fairly simple. Most of the data input can be filtered using the paranoid

method, since you should not get anything too complex from the user. The login

action of the users controller is shown below.

Use CakePHP's Session and Request Handler components

Page 3 of 25

developerWorks®

ibm.com/developerWorks

Listing 1. Sanitizing the user name input

function login()

{

if ($this->data)

{

$results = $this->User->findByUsername(Sanitize::paranoid($this->data

['User']['username']));

if ($results && $results['User']['password'] == md5($this->data

['User']['password']))

{

$this->Session->write('user', $this->data['User']['username']);

$this->redirect(array('action' => 'index'), null, true);

} else {

$this->set('error', true);

}

Similarly for registration, you would expect that a user's name should only contain

letters, spaces, hyphens, and apostrophes. However, apostrophes and hyphens can

be bad news for a SQL database. Using the sql method ensures that these reach

the database safely.

Listing 2. You should sanitize different inputs based on their expected values

function register()

{

if (!empty($this->data))

{

$this->data['User']['username'] = Sanitize::paranoid($this->data

['User']['username']);

$this->data['User']['email'] = Sanitize::paranoid($this->data

['User']['email'], array('@', '.', '-', '+'));

$this->data['User']['first_name'] = Sanitize::sql($this->data

['User']['first_name']);

$this->data['User']['last_name'] = Sanitize::sql($this->data

['User']['last_name']);

$this->data['User']['password'] = md5($this->data

['User']['password']);

These are just a couple of examples of how you could have sanitized your data.

Securing the application

You next task was to secure Tor using the Security component. If you consider what

forms need to have the most security, a natural guess would be any forms which

change the database. This is a good rule of thumb: If a change is made to the

database, the form should be submitted via the POST method.

One action that fits this description is the product delete action. Since deleting a

product removes a row from the database, it should be a POST -only request. The

code to require this is shown below.

Listing 3. ProductsController requiring POST for delete action

Use CakePHP's Session and Request Handler components

Page 4 of 25

ibm.com/developerWorks

developerWorks®

function beforeFilter()

{

$this->Security->requireAuth('delete');

$this->Security->requirePost('delete');

}

If you try deleting a product now, you will notice that you get a 400 error. This is

good because it means that any delete has to occur because of a particularly

formatted request. However, we need to get the delete functionality back, so you'll

need to make an appropriate change on your views that point to the delete action.

See Listing 4 for how the new showDelete section could look.

Listing 4. The delete action calls should happen inside forms

<?php if ($showDelete) { ?>

<?php echo $form->create('Product', array('action' => 'delete/' .

$product['Product']['id']));?>

<li><?php echo $form->end('Delete product');?></li>

<?php } ?>

You should also require that the registration and login forms be POST requests. The

code will be similar to what we have implemented here.

Giving feedback for invalid requests

Your final task was to use the blackHoleCallback to provide the user with an

appropriate response from an invalid request. Its purpose is to provide some helpful

and friendly feedback, instead of a nasty server error.

One possible implementation for this code is provided below.

Listing 5. Friendlier information for a bad request function beforeFilter()

{

$this->Security->requireAuth('delete');

$this->Security->requirePost('delete');

$this->Security->blackHoleCallback='invalid';

}

function invalid() {

header('HTTP/x 400 Bad Request');

echo('<h1>Tor</h1>');

echo('<p>We\'re sorry - there has been a problem processing your request.

Please try submitting the form again.</p>');

die;

Changing the default layout

You will be adding a favorite products feature to Tor. The visitors to your site should

be able to save products for later, or use an RSS feed to keep track of new products

Use CakePHP's Session and Request Handler components

Page 5 of 25

}

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: