Lamp Zend Security


Published on

LAMP security with Zend Framework

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Lamp Zend Security

  1. 1. LAMP security with Zend Framework 2009/Mar/10 YMSLI
  2. 2. What is LAMP? <ul><li>A stack of open source software for building web applications: </li></ul><ul><li>Linux : server operating system </li></ul><ul><li>Apache : web server software </li></ul><ul><li>MySQL : relational database </li></ul><ul><li>PHP-Python-Perl : scripting languages </li></ul>
  3. 3. LAMP doesn’t always use Linux <ul><li>LAMP Classic </li></ul><ul><ul><li>Linux – Apache – MySQL – PHP etc </li></ul></ul><ul><li>WAMP </li></ul><ul><ul><li>Windows Server – Apache – MySQL – PHP etc </li></ul></ul><ul><ul><li>very common combination (compare: 50% of JBoss users on Windows) </li></ul></ul><ul><li>WIMP </li></ul><ul><ul><li>Windows Server – IIS – MySQL – PHP etc </li></ul></ul><ul><ul><li>somewhat common </li></ul></ul><ul><li>LIMP </li></ul><ul><ul><li>Linux – IIS – MySQL – PHP etc </li></ul></ul><ul><ul><li>Logically possible but does not exist (MSFT refuses to port IIS to Linux) </li></ul></ul><ul><li>CHUMP </li></ul><ul><ul><li>risc CHip – vendor Unix – (Apache) – MySQL – PHP etc </li></ul></ul><ul><ul><li>a few do this, but silly to run free software on expensive proprietary hardware </li></ul></ul>
  4. 4. How big is LAMP? <ul><li>Gartner says open source middleware has 0.5% of total $8.5 billion middleware market in 2006 </li></ul><ul><ul><li>middleware category includes all elements of LAMP stack except Linux OS </li></ul></ul><ul><li>But also says open source middleware will reach 10% by 2010 </li></ul><ul><li>This is by revenue... that means OSS MW has a much larger share of actual installed base </li></ul><ul><li>35% of mission critical apps by 2008 (Forrester) </li></ul>
  5. 5. Yes, but what is LAMP really? <ul><li>LAMP is used to build server-based apps that connect users to a database </li></ul><ul><li>Vast majority of apps have this same general architecture: </li></ul>Web Servers Application Servers Data Bases Internet
  6. 6. Distribution of Open Source Licenses
  7. 7. Open Source Crossing the Chasm*
  8. 8. Apache <ul><li>One of the first HTTP Web Servers </li></ul><ul><ul><li>Written at NCSA (same group that wrote Mosaic web browser) </li></ul></ul><ul><ul><li>Apache = “a patchy server” </li></ul></ul><ul><ul><li>Released open source circa 1995, quickly became dominant </li></ul></ul><ul><ul><li>Still dominant today, approx. 65% of all web sites worldwide </li></ul></ul><ul><li>Apache Software Foundation created 1999 </li></ul><ul><ul><li>Internal structure based on coder meritocracy </li></ul></ul><ul><ul><li>9 board members – leading programmers with long standing in community </li></ul></ul><ul><ul><li>Mostly independent, but some industry players too (IBM, Google, Covalent) </li></ul></ul><ul><li>In time, many satellite projects spawned </li></ul><ul><ul><li>Apache now hosts many open source projects beyond HTTP server </li></ul></ul><ul><ul><li>Coalition of projects where authority is bottom up </li></ul></ul>
  9. 9. Programming Language Trends Trends measured by programming language book sales. Source: O’Reilly August 2006
  10. 10. Ruby King of the Scripting Hill Trends measured by programming language book sales. Source: O’Reilly August 2006
  11. 11. PHP Usage Growth
  12. 12. LAMP has a Java variant: “LATMJSHS” <ul><li>Linux : server operating system </li></ul><ul><li>Apache : web server software </li></ul><ul><li>Tomcat : JSP/servlet container (Apache) </li></ul><ul><li>MySQL : relational database </li></ul><ul><li>Java : programming language </li></ul><ul><li>Spring, Hibernate, Struts : open source Java frameworks </li></ul>
  13. 13. <ul><li>ZEND Framework – Specially for LAMP security </li></ul>
  14. 14. Welcome <ul><li>Today I’ll be introducing you to the Zend Framework </li></ul><ul><ul><li>What it is </li></ul></ul><ul><ul><li>Why we’re doing it </li></ul></ul><ul><ul><li>How to use it </li></ul></ul><ul><ul><li>Where it’s going </li></ul></ul><ul><ul><li>How to be a part of it </li></ul></ul>
  15. 15. Getting Started <ul><li>Zend Framework is.. </li></ul><ul><ul><li>A modular collection of PHP classes based on PHP 5 to simplify common tasks </li></ul></ul><ul><ul><li>A starting point for your applications </li></ul></ul><ul><ul><li>A demonstration of PHP 5 best practices </li></ul></ul><ul><ul><li>A smaller component of the PHP Collaboration Project </li></ul></ul><ul><li>Zend Framework isn’t … </li></ul><ul><ul><li>A free-reign open source project </li></ul></ul><ul><ul><li>A religion </li></ul></ul>
  16. 16. Goals of the Framework <ul><li>Zend Framework strives to be fundamentally…. </li></ul><ul><ul><li>An industry-leading framework for PHP application development </li></ul></ul><ul><ul><li>A partnership between many companies already experienced in PHP Framework development </li></ul></ul><ul><li>Zend Framework strives to be technically… </li></ul><ul><ul><li>A source of high-quality, PHP 5 / E_STRICT compatible application components </li></ul></ul><ul><ul><li>Completely PHP 5 powered, requiring as few external PHP extensions as necessary </li></ul></ul><ul><ul><li>A minimal object hierarchy to achieve the necessary goals </li></ul></ul><ul><ul><li>Modular design allowing developers to use the framework at will, as they see fit. </li></ul></ul>
  17. 17. Why Yet another Framework? <ul><li>Keep PHP competitive with other technologies </li></ul><ul><ul><li>.NET, Java, etc. </li></ul></ul><ul><li>Provide “clean” IP to enable commercial use </li></ul><ul><ul><li>Real companies can’t just “borrow” code from the Internet without clear licensing </li></ul></ul><ul><li>“ Extreme Simplicity”: It may not be simple technically, but using it should be. </li></ul><ul><li>Take full advantage of PHP 5 </li></ul>
  18. 18. The Framework License <ul><li>Zend Framework is licensed using a PHP/BSD style license </li></ul><ul><ul><li>Anyone can use it, for anything, no strings attached – period. </li></ul></ul><ul><li>Along with the license of the framework itself, contributors must sign a Contributor License Agreement (CLA) </li></ul>
  19. 19. There’s no such thing as a free… <ul><li>Why spend so much time and effort on something, just to give it away? </li></ul><ul><ul><li>Yes, They’re still interested in making money </li></ul></ul><ul><li>For the continued success of PHP it must be a collaboration beyond OSS hackers </li></ul><ul><ul><li>Through the PHP Collaboration project, and projects like Zend Framework, we can leverage the knowledge of some of the best in the industry in the benefit of PHP as a whole </li></ul></ul><ul><ul><li>As you might expect, Zend benefits with PHP </li></ul></ul>
  20. 20. We eat our own dog food <ul><li>Zend Framework is more than unit-tested, it is used in real-life production environments </li></ul><ul><ul><li>Gives us the ability to test performance, ease of use, etc. in a practical environment </li></ul></ul><ul><ul><li>Zend and its partners are already using the preview release of the Framework to speed development of their applications </li></ul></ul><ul><ul><li>Both the Framework homepage ( and new Developer’s Zone ( use the preview release of Framework as their foundation. </li></ul></ul>
  21. 21. The grail: Extreme Simplicity <ul><li>Many of PHP 5’s most exciting new technologies are really simple to use: </li></ul><ul><ul><li>Simple XML </li></ul></ul><ul><ul><li>SOAP </li></ul></ul><ul><ul><li>Tidy </li></ul></ul><ul><li>While the underlying technologies may be extremely complex, the end-user APIs are reduced to an extremely simple interface </li></ul>
  22. 22. Getting the Grail <ul><li>To achieve the grail of extreme simplicity </li></ul><ul><ul><li>“ Simple things should be simple, complex things should be possible” </li></ul></ul><ul><li>Use-at-will architecture </li></ul><ul><ul><li>You shouldn’t be forced into buying the whole pizza just for a slice </li></ul></ul><ul><ul><li>Use individual components (controller/model) without being forced to use everything (your own template/view) </li></ul></ul><ul><li>Configuration-less </li></ul><ul><ul><li>The framework should be plug-and-go, no configuration files necessary </li></ul></ul>
  23. 23. Zend Framework from 10,000 feet
  24. 24. Completely PHP-5 focused <ul><li>Requires PHP 5.0.4 or later for near future </li></ul><ul><li>Takes full advantage of the PHP exception model </li></ul><ul><li>Constants are all at the class-level </li></ul><ul><li>No functions in global namespace </li></ul><ul><li>ZE2 / SPL technologies fully utilized where it makes sense </li></ul><ul><li>Black magic __magic() functions used very sparsely </li></ul>
  25. 25. Preview Release <ul><li>PR 1.2 is the latest preview release of the Framework including many immediately useful tools such as: </li></ul><ul><ul><li>A basic MVC framework for application design </li></ul></ul><ul><ul><li>A PDO-based database layer </li></ul></ul><ul><ul><li>Feed (RSS, Atom) ingestion and manipulation </li></ul></ul><ul><ul><li>An HTTP client </li></ul></ul><ul><ul><li>Input data filtering </li></ul></ul><ul><ul><li>Json support for AJAX </li></ul></ul><ul><ul><li>PDF generation and manipulation </li></ul></ul><ul><ul><li>RPC / Web service support </li></ul></ul><ul><ul><li>And more! </li></ul></ul>
  26. 26. <ul><li>You can either get the framework preview release or check out the latest repository version </li></ul><ul><li>Preview Release: </li></ul><ul><li>Repository: </li></ul>Getting Zend Framework $ svn checkout
  27. 27. Installing Zend Framework <ul><li>Installing the framework is very easy, just modify your include_path to include the library/ directory </li></ul><ul><li>From php.ini: </li></ul><ul><li>From .htaccess </li></ul>…… include_path=“.:/usr/local/lib/php:/usr/local/lib/ZendFramework” …… …… php_value include_path “.:/usr/local/lib/php:/usr/local/lib/ZendFramework” ……
  28. 28. MVC Pattern <ul><li>MVC, or M odel V iew C ontroller pattern is a powerful technique for developing user interfaces </li></ul><ul><li>Originally was conceived for client-side GUI applications and adopted to the web </li></ul><ul><li>Zend Framework provides a simplistic MVC model </li></ul>
  29. 29. Example Controller <ul><li>Note: indexAction() is declared abstract in Zend_Controller_Action, and therefore must be defined in any Action/Page controller </li></ul>
  30. 30. Passing Parameters <ul><li>Beyond $_GET/$_POST you can also pass parameters to a specific controller action by appending them to the URL: </li></ul><ul><ul><li>http://localhost/foo/dosomething/param1/value1/param2/value2 </li></ul></ul><ul><li>Parameters can be accessed from within the action by name </li></ul><ul><ul><li>$this->_getParam(<key> [, <default value>]); </li></ul></ul><ul><ul><li>$this->_getAllParams(); </li></ul></ul>
  31. 31. Dealing with 404s <ul><li>404 errors are no longer the responsibility of Apache per-se, and are more likely to result in a ‘Class not found’ / ‘Method not found’ exception </li></ul><ul><li>To deal with these Zend Framework provides two methods </li></ul><ul><ul><li>In the event of a controller not found, the IndexController::noRoute() method will be called instead </li></ul></ul><ul><ul><li>In the event a controller action is not defined, it is the responsibility of the controller to implement safeguards (i.e. __call() which traps bad action calls) </li></ul></ul>
  32. 32. Chaining Controllers <ul><li>Controllers can be chained together to either break business logic out into components, or to otherwise redirect the user </li></ul><ul><ul><li>$this->_forward(<controller_name> [, <parameters>]) </li></ul></ul><ul><ul><li>Parameters are a series of key/value pairs </li></ul></ul><ul><ul><li>Controller Chaining does not occur until the current action is complete, to immediately forward you must return from the current action after calling _forward() </li></ul></ul><ul><li>Forwarding does not cause a refresh on the client, to physically refresh the browser </li></ul><ul><ul><li>$this->_redirect(<url>); </li></ul></ul>
  33. 33. Final thoughts on MVC <ul><li>Although the pattern dictates three individual class types, they are as conceptual as functional </li></ul><ul><li>For instance a “model” or “view” isn’t absolutely necessary to gain most of the benefit of MVC </li></ul><ul><ul><li>You can always perform queries from a controller </li></ul></ul><ul><ul><li>You can always print output from a controller </li></ul></ul><ul><li>Although not necessary, they are never the less recommended </li></ul>
  34. 34. <ul><li>Input Filtering </li></ul>
  35. 35. Zend_InputFilter <ul><li>Security is a primary concern in Zend Framework </li></ul><ul><li>As such, we provide facilities to clean and manage untrusted data in your applications via Zend_InputFilter and Zend_Filter </li></ul><ul><ul><li>Provides a number of methods for filtering data against many common data types (digits, alphanumeric, alpha, phone, etc.) </li></ul></ul>
  36. 36. Using Zend_InputFilter <ul><li>With Input Filter you can both test data types and retrieve filtered data easily </li></ul><ul><li>Note, by default the source of the data and all of it’s references are destroyed when filtered </li></ul>
  37. 37. Zend_Mail <ul><li>Simplifies building and sending e-mail </li></ul><ul><li>Supports MIME types and multipart e-mail </li></ul><ul><li>Supports multiple transports and persistent connections automatically </li></ul><ul><li>Supports large file attachments via the streams API improving performance </li></ul>
  38. 38. Sending HTML mail is now really easy
  39. 39. Zend_Search <ul><li>PHP 5 implementation of the popular Lucene search engine from the Java world. </li></ul><ul><li>Simplified API </li></ul><ul><li>Requires no special PHP extensions </li></ul><ul><li>Fully compatible with the binary index format of Java Lucene 1.4 and above </li></ul>
  40. 40. Zend_Search Features <ul><li>Ranked Searching </li></ul><ul><ul><li>Best results always first </li></ul></ul><ul><li>Many Query types: phrase, wildcard, proximity </li></ul><ul><li>Search by field (Author, title, body, etc.) </li></ul><ul><li>Robust, and simple API </li></ul><ul><ul><li>One-method intelligent searches against indexes, or complex OO queries if desired </li></ul></ul><ul><ul><li>Index multiple document types, with different field requirements </li></ul></ul>
  41. 41. Using Zend_Search <ul><li>Using Zend Search is very easy </li></ul><ul><li>The search engine also boasts a parser for google-like searching: zend php -java </li></ul>
  42. 42. Adding documents to the index
  43. 43. Cool things about Zend_Search <ul><li>The Lucene search engine allows you to index multiple document types in a single index, each with different index fields </li></ul><ul><ul><li>Index Individual documents with different searchable criterion </li></ul></ul><ul><ul><li>I.e. Index code samples by functions used, while articles by title, author, and keywords in the same index </li></ul></ul><ul><li>Because it is 100% compatible with Lucene 1.4+, it is compatible with all pre-created index files </li></ul>
  44. 44. <ul><li>Any Question </li></ul>