Blog Redesign
I had some free time today and decided to redesign the blog. I just recently upgraded my browser to Firefox 3 since I heard it already became stable. The previous design was broken in FF3 and aside from that I have been longing to adjust the width and font size of this blog for readability. On top of that, PrometSource, previously known us Promet Solutions, new website is UP. We recently faced a transition in the company to better serve our clients.
We are always looking for best possible ways for our readers to enjoy their stay. If you think we can make it look better, please feel free to add your comments below.
Setting Frontpage in CakePHP
Hello again readers,
I have another topic for newbies like me. I know this will help you. And this is very, very easy and it’s a common thing to do when developing websites. It’s establishing a homepage. Here’s how and this won’t take long.
1. Code your desired design. This does not require you to complete the entire html tags. Just the contents inside <body></body> would be fine.
2. Then save it as home.ctp and upload to app/views/pages.
And that’s it. You can now check your new homepage design.
Setting Your Page Layout in CakePHP
I am not a pro in CakePHP, and in fact, i am just a beginner who wanted to explore it. When I was on my way to creating my goal, I stumbled upon a problem on how to change and then set the new page layout to be used. Honestly, the problem didn’t took me long to solve. I was lucky to have read the manual on the official site. So to cut the long story short, here is the list of steps which I did to come up with my new and first page layout on my CakePHP inspired website and you might consider following this little manual, too.
1. First, design the layout that you wanted to implement and use. Assuming we have the simple code below as your desired page layout.
<html>
<head>
<title></title>
</head>
<body>
</body>
</html>
2. After having established the base, let us now put the code that will show the title of your page. We will use $title_for_layout to do the job. So your head section will now look like this:
<head>
<title><?php echo $title_for_layout?></title>
</head>
3. Next inline would be displaying the contents. We will use $content_for_layout. It will tell CakePHP where to place the code for your views. Our code now will look like this one.
<html>
<head>
<title><?php echo $title_for_layout?></title>
</head>
<body>
<?php echo $content_for_layout ?>
</body>
</html>
4. Then save it as app/views/layouts/default.ctp.
Next topic would be creating and using multitle layouts for single website. Please feel free to share your views which you think can help us beginners make a step higher on CakePHP.
CakePHP 1.2: Using Auth with ACL
A project we’re working on needed something to keep track of user activity and restrict parts of the application to certain users/groups. We are using CakePHP 1.2 and decided to use its built-in support for user authentication and access control list. Though each of them is nicely documented at the Cookbook, there wasn’t much info or resource that shows how to put these two components to work together. Fortunately, we have found some nice tutorials/articles that helped us implement them into our application. Check out those links at the end.
The Setup
We want to restrict certain actions to certain types of users. But instead of assigning permissions to each user, we just divide users into groups and assign permission to groups. Users under the same group have the same set of permission.
For this example, we’ll be dividing users into groups namely: admin, editor and member.
Setting up the database tables
Users Table:
CREATE TABLE `users` ( `id` INT UNSIGNED NOT NULL AUTO_INCREMENT , `username` VARCHAR( 20 ) NOT NULL , `password` VARCHAR( 50 ) NOT NULL , `group_id` TINYINT( 2 ) NOT NULL DEFAULT '0', PRIMARY KEY ( `id` )) ENGINE = MYISAM ;
Groups Table:
CREATE TABLE `groups` ( `id` INT UNSIGNED NOT NULL AUTO_INCREMENT , `parent_id` INT UNSIGNED NOT NULL DEFAULT '0', `name` VARCHAR( 20 ) NOT NULL , PRIMARY KEY ( `id` ) ) ENGINE = MYISAM ;
ACL Tables:
The sql dump for the acl table can also be found at the app/config/sql folder of your application
CREATE TABLE acos ( id INTEGER(10) UNSIGNED NOT NULL AUTO_INCREMENT, parent_id INTEGER(10) DEFAULT NULL, model VARCHAR(255) DEFAULT '', foreign_key INTEGER(10) UNSIGNED DEFAULT NULL, alias VARCHAR(255) DEFAULT '', lft INTEGER(10) DEFAULT NULL, rght INTEGER(10) DEFAULT NULL, PRIMARY KEY (id)); CREATE TABLE aros_acos ( id INTEGER(10) UNSIGNED NOT NULL AUTO_INCREMENT, aro_id INTEGER(10) UNSIGNED NOT NULL, aco_id INTEGER(10) UNSIGNED NOT NULL, _create CHAR(2) NOT NULL DEFAULT 0, _read CHAR(2) NOT NULL DEFAULT 0, _update CHAR(2) NOT NULL DEFAULT 0, _delete CHAR(2) NOT NULL DEFAULT 0, PRIMARY KEY(id) ); CREATE TABLE aros ( id INTEGER(10) UNSIGNED NOT NULL AUTO_INCREMENT, parent_id INTEGER(10) DEFAULT NULL, model VARCHAR(255) DEFAULT '', foreign_key INTEGER(10) UNSIGNED DEFAULT NULL, alias VARCHAR(255) DEFAULT '', lft INTEGER(10) DEFAULT NULL, rght INTEGER(10) DEFAULT NULL, PRIMARY KEY (id) );
Setting up the models
After setting up the tables, we now move on to creating the models for our CakePHP application:
User model:
uses('Sanitize'); class User extends AppModel { var $name = 'User'; // Set the User model to use the ACL Behavior // This will take care of ACL-related things when working on // this model like adding/deleting the corresponding ARO node // when a user is added/deleted. var $actsAs = array('Acl'); // Associate with the Group table var $belongsTo = array('Group'); function parentNode(){ if (!$this->id) { return null; } $data = $this->read(); if (!$data['User']['group_id']){ return null; } else { return array('model' => 'Group', 'foreign_key' => $data['User']['group_id']); } } // Ok, even if the ACL behavior takes care of the insertion of the // corresponding ARO node, it doesn't save an alias so you have to // give one yourself. We'll be using the username for the alias. // We'll do this after a new user is saved/inserted, so do it inside // the model's afterSave function function afterSave($created) { // Do this if the save operation was an insertion/record creation // and not an update operation if($created) { // Ah, yes... we'll be needing the Sanitize component $sanitize = new Sanitize(); // Get the id of the inserted record $id = $this->getLastInsertID(); // Instantiate an ARO model that will be used for updating // the ARO $aro = new Aro(); // I'm using updateAll() instead of saveField() // Instead of querying the table to get the id of the // ARO node that corresponds to the user, I just provided // two field conditions whose combination uniquely identifies // the node (Model=> User, Foreign Key=> User id). // I don't know why it wasn't sanitizing my input and not // enclosing the input in quotes. I had to do it myself $aro->updateAll( array('alias'=>'\''.$sanitize->escape($this->data['User']['username']).'\''), array('Aro.model'=>'User', 'Aro.foreign_key'=>$id) ); } return true; } }
The line:
var $actsAs = array('Acl');
Sets the model to use CakePHP built-in ACL behavior. This will take care of ACL-related things when working on this model like adding/deleting the corresponding ARO node when a user is added/deleted.
When using the ACL Behavior, you need to provide a parentNode() method in your model. The parentNode() method returns the id of the parent of the current acl node. A tree structure is used to implement ACL, so you can either directly assign permission to a node or just allow a node to inherit the permissions of its parent.
I found out from Geoff’s blog (LemonCake) that the key to using groups for user permission is to set the user aros as children of the a group aro. You can do this inside the models parentNode() method:
Group Model:
// Okay, I won't be commenting on this since this almost the same // as what you can see from the user model definition uses('Sanitize'); class Group extends AppModel { var $name = 'Group'; var $actsAs = array('Acl'); function parentNode(){ if (!$this->id) { return null; } $data = $this->read(); if (!$data['Group']['parent_id']){ return null; } else { return $data['Group']['parent_id']; } } function afterSave($created) { if($created) { $sanitize = new Sanitize(); $id = $this->getLastInsertID(); $aro = new Aro(); $aro->updateAll( array('alias'=>'\''.$sanitize->escape($this->data['Group']['name']).'\''), array('Aro.model'=>'Group', 'Aro.foreign_key'=>$id) ); } return true; } }
Setting up the controllers
Okay now, let’s keep the code short. We won’t provide any user registration here, just a way of logging users in and out of the application.
users_controller.php:
class UsersController extends AppController { var $name = 'Users'; // We will be using the Acl and Auth component // The order you declare the components is // important. Acl first before Auth or you // will get an error message. var $components = array('Acl', 'Auth'); // This is how complicated the login part // gets when using the auth component. function login() { } // ... and the logout part function logout() { $this->redirect($this->Auth->logout()); } function beforeFilter() { $this->Auth->logoutRedirect = array( 'admin' => false, 'controller' => 'pages', 'action' => 'index' ); } }
Now that takes care of the user authentication. To use Auth w/ ACL in our controllers, we first need to include the components (of course!). Make sure that Acl goes before the Auth component or else, you’ll get an error message.
var $components = array('Acl', 'Auth');
Then, we need to set the Auth component to treat the controller and actions as our access control objects. Inside the beforeFilter() method:
function beforeFilter() { $this->Auth->authorize = 'actions'; }
Setting Up AROs, ACOs and Permissions:
Our AROs will be the users and groups. Since our user and group models already use the ACL behavior, we no longer have to worry creating AROs for them- they are already created when a new user or group is added. We only have to deal with creating ACOs. If you’ve already read the part of the manual about access control lists, you’ll find out that adding an ACO is just like saving data using models. You just need to specify the name of the controller/action as its alias and its parent id.
$aco = new Aco(); $aco->create(); $aco->save(array( 'model'=>null, 'foreign_key'=>null, 'parent_id'=> $parentIdIfAny, 'alias'=> $nameOfControllerOrAction ));
You might want to have a root node where all default permissions will be based upon. Then this node will contain child nodes, which will be our controller names. Then each controller will have action names as child nodes.
Controller
|- Pages
| |- index
| |- about
| |- contact
|- Articles
|- index
|- view
|- add
|- edit
|- delete
To assign permissions, use the allow() and deny() methods of the ACL component. These methods takes at least 2 parameters: first is the ARO and second is the ACO. We could reference an ARO/ACO node using its alias or by providing an array of field conditions that uniquely describes the node.
$this->Acl->allow(array('model'=>'Group', 'foreign_key'=>$groupId), $nameOfControllerOrAction);
Since it is very likely that different controllers to have the same action names (thus making their alias non-unique and cause ambiguity), we can specify the path to the node using slashes (/).
$this->Acl->allow(array('model'=>'Group', 'foreign_key'=>$groupId), 'Pages/index'); $this->Acl->allow(array('model'=>'Group', 'foreign_key'=>$anotherGroupId), 'Articles/index');
You can deny all permissions on the root node (in this case, the ‘Controller’) to set default permissions that will be inherited by all the controllers. Then grant permission per controller or per action.
The Test Run:
I provided a simple app demo for download (acl_demo.zip).
1) Extract the contents of the zip file.
2) Run the sql file found inside the models folder
3) Edit the content (ROOT, APP_DIR and CAKE_CORE_INCLUDE_PATH paths) of index.php under the webroot folder according to you CakePHP setup
4) Access the index page of the app (ex: http://localhost/acl/) and click the setup button. Take note of the username and password of the accounts that will be created.
5) Login and test the application. Members page should only be accessible to members and admin. Editors page to editors and admin. Administrators page to administrator only.
Errors, corrections or suggestions? Feel free to leave a comment.
Sources:
http://manual.cakephp.org/view/171/access-control-lists
http://manual.cakephp.org/view/172/authentication
http://lemoncake.wordpress.com/2007/07/15/using-aclbehavior-in-cakephp-12/
http://lemoncake.wordpress.com/2007/07/19/acl-with-groups/
http://aranworld.com/article/161/cakephp-acl-tutorial-what-is-it
Tip: use CakePHP Route::url() for your URLs
Routing is one of the amazing features of CakePHP because it makes the urls beautiful. We use this most of the time and last time, I blogged about the helper to shortcut ones typing when using the HTML helper. Overtime, I realize how helpful it can be. Read on.
Always use array when passing parameters when creating a link or using Router::url(), it will save you time in the future. Why? Consider this scenario:
You created a controller /users/register and in your code and you added this
<?php echo $html->link('User Registration', '/users/register')?>
Then your group or your boss decided to use a better name /register. Your initial thought would be to replace all those texts to those new ones, isn’t it? There is a better approach. Try the ffg:
In /config/router.php
<?php Router::connect('/register', array('controller'=>'users','action'=>'register')); ?>
In your view:
<?php echo $html->link('Registration', array('controller'=>'users','action'=>'register'))?>
the HTML helper uses Router::url() in its link function and the Router class magically converts array parameters to what you stated in your config. In writing urls, we have to be consistent because it can be bad for SEO when you have too many urls pointing to the same location.
Although the above works beautifully but it can be a tedious job. I wrote not long ago about the html helper that could make this approach easier so you could write the ffg in your view.
<?php echo $html->link('Registration', url( 'users', 'register', null, 'teacher' ))?>
It saves a few characters!
From the last post, I refactored it and placed it in the bootstrap so I can call it anywhere (got that idea from the google groups).
Here it is:
function url() { $args = func_get_args(); $count = func_num_args(); if ( $count == 1 ) { if ( is_array( $args[0] ) ) { $args = $args[0]; $count = count($args); } else { return $args[0]; } } $short_keys = array( 0 => 'controller', 1 => 'action', 2 => 'plugin', 'c' => 'controller', 'a' => 'action', 'p' => 'plugin', ); foreach ( $short_keys as $short_name => $long_name ) { if ( isset( $args[$short_name] ) ) { $args[$long_name] = $args[$short_name]; unset( $args[$short_name] ); } } // Need to explicitly assign plugin key if ( !isset( $args['plugin'] ) ) $args['plugin'] = null; if ( !isset( $args['action'] ) ) $args['action'] = 'index'; if ( !isset( $args['admin'] ) ) $args['admin'] = false; $routing = Configure::read('Routing.admin'); if ( preg_match( "/^{$routing}_/", $args['action'] ) && $routing ) { $args['admin'] = true; $args['action'] = substr( $args['action'], strlen($routing) + 1 ); } return $args; }
The function above could take an array OR any number of string parameters.
url ( 'controller', 'action', 'plugin_name', ...[more params here] ) url ( array( 'c' => 'controller', 'a' => 'action', 'p' => 'plugin' ) )
The first one is strict for the first 3 parameters. The latter can be written in any order as you like. I also added support for prefix routing such as admin_*. So you can write:
url ( 'controller', 'admin_action', 'plugin_name', ...[more params here] ) url ( array( 'c' => 'controller', 'a' => 'admin_action', 'p' => 'plugin' ) )
Router::parse() can also be used instead of url() function but the latter is faster.
That’s it. Happy Baking!
Convenient $html->link()
I made this quick helper that extends Html Helper. While creating my very first plugin for cakephp 1.2, I decided to use Route so that I can save some space and time typing long controller names. Here is the sample code in my views:
echo $html->link( 'Link Test', array( 'controller' => 'long_controller_name', 'actions' => 'index', 'plugin' => 'long_plugin_name' ) );
I am a lazy typist and so I wanted to be able to use shortcut names for the array keys such as the following:
c = controller a = action p = plugin OR use numbers 0 = controller 1 = action 2 = plugin
I couldn’t find in the bakery any solution so I decided to create my own Html helper. Here is how you can install it:
First, add this file to your helpers folder located in /cakedir/app/views/helpers/. (Download XHTML Helper)
Then, in your controller file, include the Xhtml to your helpers list. Example
class MyController extends AppController { ... var $helpers = array( 'Xhtml' ); ... }
That’s it. You can use it by doing the following:
echo $xhtml->link( 'Link Test', array( 'c' => 'long_controller_name', 'a' => 'index', 'p' => 'long_plugin_name' ) );
OR
echo $xhtml->link( 'Link Test', array( 'long_controller_name', 'index', 'long_plugin_name' ) );
Take note of using xhtml instead of html. I hope I don’t mislead anyone for using the name XHTML :P. I just want an extended HTML helper.
Tags: html helper, route
What is compact() in controller?
I don’t know how much functions in php I do not know but everyday I am finding new ones specially when I started tinkering CakePHP 1.2 last week. And my latest discovery is …. compact function. After using the console script, I found this code in the controllers
$users = $this->User->Teacher->find('list'); $this->set(compact('users'));
compact is a native PHP function that creates an array containing variables and their values. Chris Hartjes explains it well in his blog. It’s quite neat because it will save me a few lines and spaces.
There you go, our new gem today: compact()
Tags: compact, discovery, functions, tricks
ISTV video platform featured in Roll Call
ISTV, a video platform created in CakePHP, was featured in Roll Call last April 17, ‘08! For those who are not aware, Roll Call is a newspaper of Capitol Hill. ISTV on the other hand is a youtube like application but it is geared towards politicians and trade groups although we are not closing our doors to other market. For the meantime, we’ll try our best to surpass the current competition! Here is a little snippet from the paper:
A private company is hoping Members will pony up cash for their own YouTube-like program - one that has the franking commission’s approval. Most Members use YouTube to embed videos on their Web sites, breaking House franking rules - often unknowingly - in order to keep up with a multimedia world. But Advocacy Inc. and Global Vision Communications together are
offering a similar, more personalized and House-approved service for $2,000 a year.
…
The program itself works much like a private YouTube, with Members at the controls. A staffer can quickly upload video of the boss’s latest floor speech and personalize the display through a series of options. For example, a Member’s site can feature a poll next to a video or a comments section. Videos can be e-mailed and shared - or not, depending on the Members’ preferences. And it all is embedded into the official House site, never leading the viewer away to a YouTube full of advertisements. Rep. Tom Price (R-Ga.), who serves on the franking commission, is the only Member currently using the product. Spokesman Brendan Buck said he has no technical background but is able to upload videos easily.
woot! woot!
The CookBook
CakePHP Documentation is being cooked!
Many are excited about this fact, because as we all know, the current manual isn’t that good. But as one of the bakers said, it’s about time to do something about it instead of finding excuses why this is the case.
Currently, developments on the new documentation for the framework is being worked out and the main catch is it’s wiki-like approach where everyone, who has a Bakery account, that is, can add in a suggestion, comment or even edit a section. Each post is subject for approval, though, by the bakers behind the CookBook, for moderation maybe.
Although for others, a good documentation doesn’t matter, but for a beginner, it’s a great big deal to have a very informative manual which will help them to become more familiar with a certain application. A manual with a good and well understood introduction and background is a very welcoming way for beginners to try new applications, that will give them less hassle instead of a more complicated experience on using them.
As for the CookBook, check it out now and contribute for a well understood and informative CakePHP Documentation.
Tags: cakePHP, cakePHP documentation, cakePHP manual, CookBook
Handling SQL injection in CakePHP
One benefit of using a framework is that some of the most common problems we will encounter when building web applications from scratch is already taken cared of, that is if properly used. Today, we will discuss one of the most common problem we have experienced specially for beginners – SQL Injection.
Let’s begin first by defining SQL Injection. According to wikipedia, SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, user input must be escaped, or parameterized statements must be used.
CakePHP handles this in its data abstraction layer by using mysql_real_escape_string(). To use effectively, programmers must comply to its rules. Why did I say comply? Some of model functions are very loose with what kind of parameter type to accept. This setting has caused some of the newcommers to not see the benefit of passing conditions by array. Let’s take for an example the findAll() function.
Model::findAll ( $conditions = null, $fields = null, $order = null, $limit = null, $page = 1, $recursive = null )
- Parameters:
| mixed | $conditions SQL conditions as a string or as an array(’field’=>’value’,…) | |
| mixed | $fields Either a single string of a field name, or an array of field names |
The $conditions accepts both string and array for its passed values. Logically, only the data passed as an array will be escaped. Using arrays allows CakePHP to generate the most efficient query possible, ensure proper SQL syntax, and properly escape each individual part of the query.
For complex find queries, we may opt for the string condition and do all the dirty work. As of this writing, CakePHP is now offering a solution to build complex conditions using arrays.
Cake can parse out any valid SQL comparison operator, including match expressions using LIKE, BETWEEN, or REGEX, as long as we leave a space between the operator and the expression or value.
array("Post.title" => "<> This is a post")
Below is the adaptation of the IN (…)-style matches
array("Post.title" => array("First post", "Second post", "Third post"))
By default, the framework joins multiple conditions with boolean AND. To accept other boolean conditions, we could do the ffg:
array ("or" => array ( "Post.title" => array("First post", "Second post", "Third post"), "Post.created" => "> " . date('Y-m-d', strtotime("-2 weeks")) ) )
Or like this:
array ("Author.name" => "Bob", "or" => array ( "Post.title" => "LIKE %magic%", "Post.created" => "> " . date('Y-m-d', strtotime("-2 weeks") ) )
More explanation of this can be found at the Manual: Complex Find Conditions (using arrays).
Model::save() is more strict so I did not see any problem following its rules. If you have questions for a certain model function syntax, the API can be a great resource.
With the benefit of these Model functions, we must still have to adapt to the framework’s environment which maybe of a disadvantage at first. It will just be your choice which manners will best suit you. At the end of the day, what will matter is that the code we produce is readable, maintanable and most of all secure.
Source:
- SQL_injection
- Guid to PHP Security (PDF)
- mysql_real_escape_string vs addslashes
- mysql_real_escape_string vs addslashes Discussion
- CakePHP Manual: Models
Tags: model, sql injection