Atlanta PHP Podcast

Sun, 5 Mar 2006 3:39 UTC

On Thursday, March 2, Atlanta PHP gathered for its usual monthly meeting. However, this time, I decided to try to capture an audio recording of our meeting. The audio from the podcast attempt of our meeting actually turned out much better than I anticipated, given the equipment used to create the recording: my PowerBook’s internal microphone. Yet, the Q&A session we had following Kevin Roberts’s presentation had to be cut for two reasons: a) time and b) it was too hard to hear most of the discussion.

• PHP Frameworks slides (PDF)

• Atlanta PHP March 2, 2006 Podcast

  NOTE: The podcast is in MPEG-4 (.m4a) format. You can use iTunes or Winamp to listen to it; other players may work as well.

  1 Comment »  Permalink  Tags: atlantaphp, framework, php, podcast

  ---

Vaporware No More: Zend Framework Available

Sat, 4 Mar 2006 19:40 UTC

A preview release of the Zend Framework is now available, and, so far, I must say that all looks well.

The one thing that I’m a bit curious about is the apparent removal of the Active Record implementation, Zend_Db_DataObject. The documentation for this object exists in the Programmer’s Reference Guide, but it’s nowhere to be found in the API. I wonder whether the implementation exists in a different form in Zend_Db, or was it scrapped altogether?

The Active Record implementation aside, one of the other features I was looking forward to was the Zend_InputFilter framework. I know that Chris will undoubtedly write much more about this, but I wanted to point out one very cool feature: the strict mode.

The strict mode works like this: you pass an array of tainted data (let’s say the $_POST array) to Zend_InputFilter to create a new object to access the data in a safe manner, and, then, by default, $_POST is set to NULL for the remainder of the script—you simply cannot access the raw, tainted data from $_POST. Here’s an example:

<?php
 
$filterPost = new Zend_InputFilter($_POST);
$username   = $filterPost->isAlpha('username');
 
var_dump($username); // will either contain the value of 
                     // $_POST['username'] (if it contains only 
                     // alphabetic characters) or FALSE
var_dump($_POST);    // will print NULL
 
?>

This strict mode could be very useful in an environment with a team of application developers. Just set auto_prepend_file in php.ini to load up a script that grabs all autoglobal variables ($_POST, $_GET, $_COOKIE, etc.) and stores them to Zend_InputFilter objects, and you never have to worry about your team accessing raw data—they must always use the Zend_InputFilter object to get to the data. (There is a getRaw() method of this object, but I’ll let Chris discuss it in more detail.)

Finally, lots of folks are already talking about this. Here are some links:

• Davey Shafik
• John Lim
• Stuart Herbert
• Ivo Jansch
• Harry Fuecks
• Andi Gutmans (update)
• Andi Gutmans
• Chris Shiflett
• Richard Heyes
• Sebastian Bergmann

• PHPDeveloper.org

No Comments  Permalink  Tags: filter-input, framework, php, security, zend, zend-framework