panique / mini Goto Github PK
View Code? Open in Web Editor NEWJust an extremely simple naked PHP application, useful for small projects and quick prototypes. Some might call it a micro framework :)
Just an extremely simple naked PHP application, useful for small projects and quick prototypes. Some might call it a micro framework :)
I have installed you skeleton.
When i click on http://127.0.0.1/php_mvc/home/exampleone in the DEmo navigation i get an error 404
Using the URL (http://127.0.0.1/php_mvc/home/exampleone) in my browse i get the same error
I habe nothig changed on the code.
First of all thanks a lot for sharing this bootstrap!
What would be the most common way of implementing a separated frontend, when using the implemented version of songs as a backend for the website?
Any hint is appreciated and very helpful :)
EDIT: I CHANGED THE ROOT NAME FROM PHP-MVC TO MVC. I CHANGED IT BACK AND IT WORKS PERFECTLY. MUCH BETTER THAN CAKEPHP.
It won't let me access the public/ folders.... No CSS, no pictures and no javascript.
I really like what I see so far. I was thinking about using Cake, but it does too much behind the scenes. Keep up the good work!
Hello,
I am very interested in using this framework, but we run a windows environment with IIS 7.0. Is it possible to achieve this? My concern is primarily with the .htaccess.
IIS uses web.config files. Attempting to import the .htaccess into the web.config system gives the following:
Considering the people who will use this library could you please fix your demo?
For example you are using strip_tags
here with the incorrect comment above it
// clean the input from javascript code for example
strip_tags
does no such thing. It (as the name points out) strips tags and that's it. Further on in the demo code in the "view" you do:
<?php if (isset($song->artist)) echo $song->artist; ?>
Now again considering the specific audience to which this library is aimed at they might think: "Awesome! I will just copy paste this code and use it in a form!".
An now suddenly you can throw as much strip_tags
at the problem as you like, but you will always have a My Vulnerable Code problem.
On top of that there is just no reason to use strip_tags
when inserting that data in the database. Use the proper tools for the job. Use htmlspecialchars($data, ENT_QUOTES, '{encoding}')
when outputting the data instead.
Regards,
MC <script>
$_GET['url'] isn't being called anywhere, So the demo environment isn't even working..
Or am i missing something?
Hi,
I just see that you are building url using structure "controller/action/param"
I guess if someone else have already introduce url routing more flexible so we can easy override url without need to change controller and method name.
Thanks!
As viewing a PDO-SQL statement is a big pain in the ass and in general a big issue in development, I've build a simple tool that emulates the PDO output. Not perfect, but does the job for 99% of all situations. Might be a good fit for this project, where people want to see what they send to the database.
I've just written a version of php-mvc that runs without mod_rewrite enabled, and I love it already :)
(see the branch feature-nomodrewrite
for more).
Problem:
The .htaccess files are ignored without mod_rewrite, so basically all .php files are callable from the outside, which is especially dangerous in view files (they can be "viewed") by an attacker easily.
Question:
Does somebody know how to protect any .php files (and or folders) from being called WITHOUT having mod_rewrite / allowoverride activated in the Apache configs ? I'm planning on publishing the modrewrite-free version here, but it's not possible if such security-holes exist.
And by the way: Is there a proper way to protect view files from being called directly ? How to other frameworks do this, maybe somebody has more experience with that !?
i download your project and install it
This is my project directory
and i set the config file too but i got this error
(*
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at [email protected] to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.
Apache/2.4.9 (Win64) PHP/5.5.12 Server at localhost Port 80
*)
I have created a Controller Products and I pass argument through index method like
http://127.0.0.1/product/index/123
How can I make it work like
http://127.0.0.1/product/123
I would really appreciate your help on this topic.
Hi!
Thanks for a very good mvc. In the "Songs" page I am trying to implement an update functionality. So I add links for update in the views/songsindex.php by adding the line
Then i add the method updateSong in in songsmodel.php
Then I am stucked. I need to display a sticky form for the chosen post and I simplpy can't figure it out how to do.
This is my first oop/mvc adventure (wich you can problary tell). I come from the procedural world and want to hammer oop/mvc home.
Great looking and educational framework but I'm really struggling here and would appreciate any passing nginxexpers having a look.
I've played with some other basic MVC frameworks and never had the problem where a normal nginx try_file wouldn't work.
So, for example:
location /manage/login {
try_files $uri $uri/ /manage/login/index.php;
}
But, of course, I can see from the .htaccess and application.php that this uses ?url= GET arguments.
So, 5 hours of reading http://wiki.nginx.org/HttpCoreModule#.24arg_PARAMETER and http://wiki.nginx.org/HttpCoreModule#.24args and http://nginx.org/en/docs/http/converting_rewrite_rules.html I've tried various of the following.... (the install folder is in manage/login
location /manage/login {
try_files $uri $uri/ /manage/login/index.php?url=$uri;
}
also
try_files $uri $uri/ /manage/login/index.php?url=$uri;
try_files $uri $uri/ /manage/login/index.php?url=$args;
try_files $uri $uri/ /manage/login/index.php?url=$uri$args;
try_files $uri $uri/ /manage/login/index.php?$args;
and other combinations of the above. No matter what I put, it always says:
You are in the controller home, using the method index()
You are in the View: application/views/home/index.php
I found another lost soul at http://forum.nginx.org/read.php?2,247614,247647#msg-247647 but again, he wasn't having much luck.
Hi I am trying to create a Front End Shopping Cart for non-sign-in guest.
if a guest sign in, they will login to customer-backend panel to do shopping. Whee the shopping experience in this panel, and the one at the front end is different.
I would like to also allow a company user to create order on behalf of Customer.
In this case, the handling of the shopping coding I want to do it differently, but the shopping cart experience (the VIEW) I want to make the same for all users.
My question is:
If I have a system that has 3 - 4 different type of user, what is the directory structure that I should build for the MVC? Is it MVC for Front End, MVC for Customer Backend, and MVC for Admin backend?
If yes, then how should I do the VIEW folder? because to certain extend, the VIEW folder for the shopping cart should be shared, and should be duplicated.
Hope to hear your response.
thanks
I guess collation of DB and tables should be utf8_general_ci or utf8_unicode_ci.
Regards
Petros
Out of the scope of this script, but this will save lots of people's lifes :)
http://stackoverflow.com/questions/6142437/make-git-directory-web-inaccessible
http://serverfault.com/questions/128069/how-do-i-prevent-apache-from-serving-the-git-directory
LITTLE NOTICE FROM PHP-MVC AUTHOR:
Please don't panic, this ticket here shows some security issues that are indeed real, but php-mvc is on the same level of security like most mainstream PHP scripts in the world, like Wordpress, lots of CMS and major frameworks! The cases shown here are real, but these security "holes" can be found in most PHP scripts/installations in the world, including lots of popular sites.
These security issues will be fixed within the next 14 days by a simple movement of the index.php and .htaccess changes, so you can update to the fixed version easily.
Big thanks to @AD7six for the good information!
Following on comments made to this SO question. If no other action comes from this ticket it would be wise to clarify beyond doubt the purpose of the repository as currently:
Which is quite contradictory, it's for beginners who know what they are doing.
The readme makes no mention of that; It is unfair to users who may choose this project for real applications to unwittingly find that the repository they have based their project on is infact fundamentally unsafe.
Consider the following actions:
ssh server
git clone https://github.com/panique/php-mvc.git
vim php-mvc/application/config/config.php
Resulting in:
$ tree php-mvc
|-- CHANGELOG.md
|-- README.md
|-- _tutorial
| |-- donate-with-paypal.png
| |-- tutorial-part-01.png
| |-- tutorial-part-02.png
| |-- tutorial-part-03.png
| |-- tutorial-part-04.png
| `-- tutorial-part-05.png
|-- application
| |-- _install
| | |-- 01-create-database.sql
| | |-- 02-create-table-song.sql
| | `-- 03-insert-demo-data-into-table-song.sql
| |-- config
| | |-- config.php
| | `-- config.php~ # <---- an editor file.
| |-- controller
| | |-- home.php
| | `-- songs.php
| |-- libs
| | |-- application.php
| | `-- controller.php
| |-- models
| | |-- songsmodel.php
| | `-- statsmodel.php
| `-- views
| |-- _templates
| | |-- footer.php
| | `-- header.php
| |-- home
| | |-- example_one.php
| | |-- example_two.php
| | `-- index.php
| `-- songs
| `-- index.php
|-- composer.json
|-- index.php
`-- public
|-- css
| `-- style.css
|-- img
| `-- demo-image.png
`-- js
`-- application.js
Absolutely all files are accessible in a php-mvc project. For all not-php files that means the source can be read directly. Example:
$ curl http://example.com/php-mvc/composer.json
{
"name": "panique/php-mvc",
"type": "project",
"description": "A simple PHP MVC boilerplate",
...
The problem is not limited to !php files, as most editors generate a tmp/swap/backup file any file that's edited on the server (or has noise uploaded - if it's deployed via ftp) is also accessible. In the example I gave a backup/swap file was generated for the config file, that file's contents are also now browsable:
$ curl http://server/php-mvc/application/config/config.php~
<?php
/**
* Configuration
*
* For more info about constants please @see http://php.net/manual/en/function.define.php
* If you want to know why we use "define" instead of "const" @see http://stackoverflow.com/q/2447791/1114320
*/
/**
* Configuration for: Error reporting
* Useful to show every little problem during development, but only show hard errors in production
*/
error_reporting(E_ALL);
ini_set("display_errors", 1);
/**
* Configuration for: Project URL
* Put your URL here, for local development "127.0.0.1" or "localhost" (plus sub-folder) is fine
*/
define('URL', 'http://127.0.0.1/php-mvc/');
/**
* Configuration for: Database
* This is the place where you define your database credentials, database type etc.
*/
define('DB_TYPE', 'mysql');
define('DB_HOST', '127.0.0.1');
define('DB_NAME', 'php-mvc');
define('DB_USER', 'root');
define('DB_PASS', 'mysql');
But the bad news doesn't stop there. You can also browse the .git
folder if it is "deployed" with the application (if either the project is a checkout on the server, or the .git folder is uploaded via ftp):
$ curl http://example.com/php-mvc/.git/config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
fetch = +refs/heads/*:refs/remotes/origin/*
url = https://github.com/panique/php-mvc.git
[branch "master"]
remote = origin
merge = refs/heads/master
In and of itself this may disclose sensitive information. Getting a valid response means that by looking around you can browse/download the whole git repo:
$ curl http://example.com/php-mvc/.git/packed-refs
# pack-refs with: peeled
2c7c8b01ea5904098bc5a7a22a93781082c8eacc refs/remotes/origin/master
14b1162512b50d3ea0a71f8e0c501a7a30445bae refs/remotes/origin/develop
etc.
It is trivial to prevent this; the only side effect being that the public folder is the only folder that is web accessible.
Move /index.php to /public/index.php
Move /.htaccess to /public/.htaccess
create a new root .htaccess
file with the following contents:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule (.*) public/$1 [L]
</IfModule>
While I have no personal interest in using this project - I'd be grateful if you could address these problems to prevent inexperienced users trying to use it and inadvertently disclosing their application files to the public or worse losing their data etc.
In addition I recommend taking a look at projects such as h5bp's apache config as it addresses these and many more common problems out of the box.
From what I have seen with more modern PHP frameworks, these days it's popular to separate out the entity and the model.
So you would define an entity class for a user which only has the relevant properties with getters and setters, then you would build a model or manager that generates those entities from any supported backend source. (And writes changes to those objects back to the backend)
Right now it looks like the model layer just creates arbitrary objects from what comes out of PDO, and that's not really portable. (If you want to use something other than PDO, you don't have an exact entity or contract to build that new model against, you'd just have to hope that you get all the properties in there)
Is this separation something that's been considered for implementation into this project?
Thank you so much for making this happen though, it's been really hard finding a simple php implementation of the concepts that Symfony and the other frameworks take to a much higher level, which isn't necessary in many cases.
class Model
{
/**
* Every model needs a database connection, passed to the model
* @param object $db A PDO database connection
*/
function __construct($db) {
try {
$this->db = $db;
} catch (PDOException $e) {
exit('Database connection could not be established.');
}
}
}
class SongsModel extends Model
class StatsModel extends Model
i have followed php-mvc. i have posted in stackoverflow ( http://stackoverflow.com/questions/23588697/how-to-use-static-scripts-with-mvc-architecture)
I can see images in http://localhost/myMVC/user
but i can't see same image in http://localhost/myMVC/user/login
When i'm access boostrap.css file. dispaly http://localhost/myMVC/user content.
Give out application-wide feedback (positive, negative, etc.) after successful/failed actions.
Hey people, as this barebone got quite good response and obviously is helpful, it might be useful to work on a "more advanced" version in 2014.
Goals: Implement very useful web technologies in a ready-to-go way to encourage people to use them.
UPDATE: This project will get an own repository, like php-mvc-advanced or similar
For example "php-mvc 2" could implement:
1.) SASS/Compass (the improved version of CSS) which compiles SCSS to CSS with PHP (http://leafo.net/scssphp/ does this, installable via Composer).
2.) A view engine, like Twig (installable via Composer).
3.) An ORM library (same here)?
4.) A slim/laravel-like routes.php that basically replaces all controller files
Feel free to add your ideas!
First off, thank you for your effort and this well-written mvc skeleton! I am on Ubuntu and I have the following problem when I navigate to /songs.
_Warning: require(application/models/SongsModel.php): failed to open stream: No such file or directory in /var/www/php-mvc/application/libs/controller.php on line 45
_Fatal error: require(): Failed opening required 'application/models/SongsModel.php' (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/php-mvc/application/libs/controller.php on line 45***
That's happening due to the capitalized letters used for the names of the models. I fixed that by adding strtolower() on line 45 of controller.php:
require 'application/models/' . strtolower($model_name) . '.php';
Currently application/libs
holds the heart of the application, but naming it core
would be more useful, as these files are not really (additional) libraries, they are the pure core. I think this will also keep people from changing things inside.
The major "getting-started"-bottleneck in php-mvc is still to activate mod_rewrite, especially beginners have problems with that.
Laravel - and other frameworks - does something very interesting: They have a fallback when no mod_rewrite is activated that makes the applicaiton work exactly like with mod_rewrite, except that you always have index.php
inside your URL, like http://x.x.x.x/index.php/help/showArticle/17
.
I think php-mvc should do the same. Please have a look how to do this if you have some knowledge about this topic.
Interesting read on SO:
http://stackoverflow.com/questions/975262/pretty-urls-without-mod-rewrite-without-htaccess
http://stackoverflow.com/questions/5629683/serverpath-info-and-serverorig-path-info-in-php
Interesting file / behaviour in Laravel's root:
https://github.com/laravel/laravel/blob/master/server.php
PATH_INFO is used in both Symfony and ZF
Quote from that file:
// This file allows us to emulate Apache's "mod_rewrite" functionality from the
// built-in PHP web server. This provides a convenient way to test a Laravel
// application without having installed a "real" web server software here.
As usual, please only commit into develop branch - never in master (it's only for stable public release). Or create a feature-branch (but I'm not sure if this is possible to easily in a public repo on GitHub).
What do i have to change to youre code to get a working autoloader.
Do i have to add am map vendor. What is the code of autoloader.php?
What do i have to change on composer.json?
I am using PHP MVC ADVANCED now I want to create url like http://www.example.com/about-us so how to create controller, model and view. I have tried with dash( - ) but not working.
Can you please explain me.
Thanks.
I'm just wondering ( and please correct me if i'm wrong)
Isn't it better to have one index.php file which already holds the en footer information, and then include the requested information into that page
instead of include the header.php and footer.php everytime over and over again
Thanks!
Thank you for that nice project. It explains very good how MVC works.
In application/views/songs/index.php you use a $songs array. This array contains different $song variables. Each variable has a id, artist and track. $song looks like an object, but I can't find the class in your project. Where is defined what a $song variable contains? Maybe I overlook something.
You might want to include a comment in the htaccess file with the code for Apache 2.4.
Require all denied
instead of
Order deny,allow
Deny from all
The requested URL /shen/home/exampleone was not found on this server.
Hi ... I am just wondering why the folder structure for php-mvc and mvc-login is totally different? I am trying to build my own framework. I am trying to gather as much information as possible to make the folder structure correct
as lots of people don't get this... It should be obvious that a PHP/mysql application cannot run without setting up apache/PHP/mysql first, but obviously it's needed to say this.
Hi, I'm using IIS. Here are the rules that works for me:
http://pastebin.com/rguF7Fiy
controller/songs.php:
public function index()
{
// simple message to show where you are
echo 'Message from Controller: You are in the Controller: Songs, using the method index().';
// load a model, perform an action, pass the returned data to a variable
// NOTE: please write the name of the model "LikeThis"
$songs_model = $this->loadModel('SongsModel');
$songs = $songs_model->getAllSongs();
// load another model, perform an action, pass the returned data to a variable
// NOTE: please write the name of the model "LikeThis"
$stats_model = $this->loadModel('StatsModel');
$amount_of_songs = $stats_model->getAmountOfSongs();
// load views. within the views we can echo out $songs and $amount_of_songs easily
require 'application/views/_templates/header.php';
require 'application/views/songs/index.php';
require 'application/views/_templates/footer.php';
}
I wanted to make this a little nicer, so I added a method to libs/controller.php:
public function renderView($controller, $view)
{
require 'application/views/_templates/header.php';
require "application/views/$controller/$view.php";
require 'application/views/_templates/footer.php';
}
Then I changed the index action of the Songs controller to:
public function index()
{
// simple message to show where you are
echo 'Message from Controller: You are in the Controller: Songs, using the method index().';
// load a model, perform an action, pass the returned data to a variable
// NOTE: please write the name of the model "LikeThis"
$songs_model = $this->loadModel('SongsModel');
$songs = $songs_model->getAllSongs();
// load another model, perform an action, pass the returned data to a variable
// NOTE: please write the name of the model "LikeThis"
$stats_model = $this->loadModel('StatsModel');
$amount_of_songs = $stats_model->getAmountOfSongs();
$this->renderView('songs', 'index');
}
However now $amount_of_songs
as well as $songs
are unavailable to the view. I'm having a difficult time understanding why the change I made would break that. Can you help?
While working with php-mvc
, I noticed that if some specific error occurs it will output a blank page instead of getting back to the controller index. Which could be more convenient.
A simple test would be to try and manually load a model from the URL:
http://localhost/home/loadModel/somefile
Since somefile
doesn't exist it would simply return an empty page, or in case init_set display_errors
is set to 1 No such file or directory
.
A quick fix would be to check for the model file existence first, and then using require with said file:
public function loadModel($model_name)
{
// check for model: does such a model exist ?
if (file_exists('application/models/' . strtolower($model_name) . '.php')) {
require 'application/models/' . strtolower($model_name) . '.php';
// return new model (and pass the database connection to the model)
return new $model_name($this->db);
} else {
// invalid Model, so simply show index of current controller
$this->index();
}
}
Which brings the fact that any user can run a public method (by design), loadModel
being a public inherited method from controller.php
, anyone can call it directly from any controller. I didn't spend enough time trying to bypass (if it's even possible) FILTER_SANITIZE_URL to turn this tiny issue into a Local File Inclusion but it could be a possible risk. A solution would be to blacklist $this->url_action
from trying to run loadModel.
One last suggestion would be to use is_callable()
instead of method_exists()
in application.php
. Another blank page will appear if I try this URL:
http://localhost/home/openDatabaseConnection/
openDatabaseConnection
is a private method, calling it would cause a fatal error. This cannot be avoided with method_exists
because this method indeed exists but is in fact, not callable. A simple fix would be replacing:
if (method_exists($this->url_controller, $this->url_action)) {
with
if (is_callable(array($this->url_controller, $this->url_action))) {
Any attempt to call a private method will fallback to the current index of the controller.
Thank you for php-mvc
.
I am a new php-mvc user and I have been trying to develop a prototype for a website I am presently building. I am also new to MVC architecture and would like some guidance. I presently have a listing controller and a photos controller. Photos are added to listings and the photo index view is supposed to be nested inside a Listing view. What is the best way to nest this child view inside the parent view?
Currently it's possible to directly access the files in the application
folder. This should be prevented via .htaccess. The common (dirty) way to do so is to put an .htaccess into application
with a deny from all
rule in it.
But I would like to do this directly from the main .htaccess in the root folder. Can somebody help me with that ? I had a quite big research on that but always ended up with messy, weird and unreadable constructs or the above rule.
All I want is something that says "access for application folder is forbidden".
As this project gets a lot of attention, it might be very useful to add a really good documentation, super-detailed install tutorials, video trainings etc. to reduce the getting-started-barrier.
I'm currently to lazy to do this :) as we have summer here in Europe, but September / October 2014 is realistic.
More to come...
This framework really miss support for 404 page. When you put wrong url to adress bar, it will simply redirect you to /home. Better than that should be that it will redirect you to 404 page and use DirectoryIndex for setting / param to /home.
P.S. Sorry for my english.
I need to keep old code base run on a production server, before migrate all user to new version (I need some time to debug, rewrite core features). The old code base doesn't compatible with PHP > 5.3
I have tried to run php-mvc on PHP 5.2.17, It works normally for example codes. But I don't sure is there any bugs occur with framework core? I see composer's config file is require PHP > 5.3.0
Can I use php-mvc core without upgrade our PHP version to above 5.3 ?
Hi @panique and thanks for making this simple but powerful MVC.
To save the "issues" system being clogged up with questions and how-to's, what about making a simple support forum? Even if it were just a simple, free Google group (please, not Yahoo groups though!). Or perhaps a basic Wiki or something?
That way users could contribute and make a FAQ and help each other out. What do you think?
Hi everyone. I'm using this boilerplate project in a way that the site and the admin area share the most of the code. But i'm find myself lost as the project grows, because the URLs are messy right now.
For instance: To access a product page the url is "site.com/product-list/" but the admin of that page is something like "site.com/products-admin".
Is there anyway to do something like "site.com/admin/products" without have to rewrite all the url parameters rule?
As this projects gains a lot of popularity (which I have never even thought of) and seems to be useful for lots of people, I'm thinking about going a step further and creating some kind of php-boilerplate out of it.
So many people build applications (with PHP) completely from scratch, without having any idea of application structure, oop, mvc, clean architecture, clean code, PSR, etc. Just spend some minutes on stackoverflow or the local university and you know what i mean. php-boilerplate could give beginners (!) and advanced developers an easy-to-understand naked base application, easy to install, easy to maintain, to get started, and killing all the major problems a completely self-built structure introduces (including lots of security problems).
Still not as good as a real framework, but 1000x better than the horrible mess of .php files we have all written back in the days.
Beside, it makes people learn clean, dry oop code from the beginning, encourages them to use PSR guidelines, use PDO, use Composer, get a feeling for security, use comments in the way they should be used, learn git and continious deployment (which can be supereasy and setup-free) etc.
Maybe it even makes sense to collect money for this (via Kickstarter or getting supported by open-source-funding organizations etc.) !? This is just a first idea, but feel free to comment. I think this can be a very useful project.
Hi there!
Any reason why you load the css as follows
<link href="<?php echo URL; ?>public/css/style.css" rel="stylesheet">
While it's also working like this
<link href="public/css/style.css" rel="stylesheet">
Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.