LAMP security with Zend Framework

2009/Mar/10

YMSLI

2

What is LAMP?

• A stack of open source software for building web applications:

Linux: server operating system

Apache: web server software

MySQL: relational database

PHP-Python-Perl: scripting languages

3

LAMP doesn’t always use Linux

• LAMP Classic– Linux – Apache – MySQL – PHP etc

• WAMP– Windows Server – Apache – MySQL – PHP etc– very common combination (compare: 50% of JBoss users on Windows)

• WIMP– Windows Server – IIS – MySQL – PHP etc– somewhat common

• LIMP– Linux – IIS – MySQL – PHP etc– Logically possible but does not exist (MSFT refuses to port IIS to Linux)

• CHUMP– risc CHip – vendor Unix – (Apache) – MySQL – PHP etc– a few do this, but silly to run free software on expensive proprietary hardware

4

How big is LAMP?

• Gartner says open source middleware has 0.5% of total $8.5 billion middleware market in 2006– middleware category includes all elements of LAMP

stack except Linux OS• But also says open source middleware will reach 10% by

2010• This is by revenue... that means OSS MW has a much

larger share of actual installed base• 35% of mission critical apps by 2008 (Forrester)

5

Yes, but what is LAMP really?

• LAMP is used to build server-based apps that connect users to a database

• Vast majority of apps have this same general architecture:

WebServers

ApplicationServers

DataBases

Internet

6

Distribution of Open Source Licenses

SourceForge.Net Project Licenses (10/07/2004) - Total 57,466

38,532

6,1253,997

1,528 1,128 994 955 920 667 379 271 249 221 211 195 160 137 117 91 740

5,000

10,000

15,000

20,000

25,000

30,000

35,000

40,000

(Licenses with less than 70 projects not shown)

7

From: Matt Assay, OSBC 2006

Source: Robin Vasan, OSDL LUAC, 2006

Market Stage

Ma

rket

Pen

etra

tio

n

Innovators Early Adopters Early Majority Late Majority Laggards

Chasm

JBoss

Linux

PHP (Zend)

XenNagios

(Groundwork)

SugarCRM

Eclipse

Apache

MySQL

Snort (SourceFire)

Asterisk (Digium)

Alfresco

SpikeSource

*Geoffrey Moore

Open Source Crossing the Chasm*

8

Apache

• One of the first HTTP Web Servers– Written at NCSA (same group that wrote Mosaic web browser)– Apache = “a patchy server”– Released open source circa 1995, quickly became dominant– Still dominant today, approx. 65% of all web sites worldwide

• Apache Software Foundation created 1999– Internal structure based on coder meritocracy– 9 board members – leading programmers with long standing in

community– Mostly independent, but some industry players too (IBM, Google,

Covalent)• In time, many satellite projects spawned

– Apache now hosts many open source projects beyond HTTP server– Coalition of projects where authority is bottom up

9

Programming Language Trends

Trends measured by programming language book sales. Source: O’Reilly August 2006

10

Ruby King of the Scripting Hill

Trends measured by programming language book sales. Source: O’Reilly August 2006

11

PHP Usage Growth

12

LAMP has a Java variant: “LATMJSHS”

Linux: server operating system

Apache: web server software

Tomcat: JSP/servlet container (Apache)

MySQL: relational database

Java: programming language

Spring, Hibernate, Struts: open source Java frameworks

13

ZEND Framework – Specially for LAMP security

14

Welcome

• Today I’ll be introducing you to the Zend Framework– What it is– Why we’re doing it– How to use it– Where it’s going– How to be a part of it

15

Getting Started

• Zend Framework is..– A modular collection of PHP classes based on PHP

5 to simplify common tasks– A starting point for your applications– A demonstration of PHP 5 best practices– A smaller component of the PHP Collaboration

Project

• Zend Framework isn’t…– A free-reign open source project– A religion

16

Goals of the Framework

• Zend Framework strives to be fundamentally….– An industry-leading framework for PHP application development– A partnership between many companies already experienced in

PHP Framework development

• Zend Framework strives to be technically…– A source of high-quality, PHP 5 / E_STRICT compatible

application components– Completely PHP 5 powered, requiring as few external PHP

extensions as necessary– A minimal object hierarchy to achieve the necessary goals– Modular design allowing developers to use the framework at

will, as they see fit.

17

Why Yet another Framework?

• Keep PHP competitive with other technologies– .NET, Java, etc.

• Provide “clean” IP to enable commercial use– Real companies can’t just “borrow” code from the

Internet without clear licensing

• “Extreme Simplicity”: It may not be simple technically, but using it should be.

• Take full advantage of PHP 5

18

The Framework License

• Zend Framework is licensed using a PHP/BSD style license– Anyone can use it, for anything, no strings

attached – period.

• Along with the license of the framework itself, contributors must sign a Contributor License Agreement (CLA)

19

There’s no such thing as a free…

• Why spend so much time and effort on something, just to give it away?– Yes, They’re still interested in making money

• For the continued success of PHP it must be a collaboration beyond OSS hackers– Through the PHP Collaboration project, and

projects like Zend Framework, we can leverage the knowledge of some of the best in the industry in the benefit of PHP as a whole

– As you might expect, Zend benefits with PHP

20

We eat our own dog food

• Zend Framework is more than unit-tested, it is used in real-life production environments– Gives us the ability to test performance, ease of

use, etc. in a practical environment– Zend and its partners are already using the

preview release of the Framework to speed development of their applications

– Both the Framework homepage (framework.zend.com) and new Developer’s Zone (devzone.zend.com) use the preview release of Framework as their foundation.

21

The grail: Extreme Simplicity

• Many of PHP 5’s most exciting new technologies are really simple to use:– Simple XML– SOAP– Tidy

• While the underlying technologies may be extremely complex, the end-user APIs are reduced to an extremely simple interface

22

Getting the Grail

• To achieve the grail of extreme simplicity– “Simple things should be simple, complex things should

be possible”

• Use-at-will architecture– You shouldn’t be forced into buying the whole pizza

just for a slice– Use individual components (controller/model) without

being forced to use everything (your own template/view)

• Configuration-less– The framework should be plug-and-go, no configuration

files necessary

23

Zend Framework from 10,000 feet

24

Completely PHP-5 focused

• Requires PHP 5.0.4 or later for near future• Takes full advantage of the PHP exception

model• Constants are all at the class-level• No functions in global namespace• ZE2 / SPL technologies fully utilized where it

makes sense• Black magic __magic() functions used very

sparsely

25

Preview Release

• PR 1.2 is the latest preview release of the Framework including many immediately useful tools such as:– A basic MVC framework for application design– A PDO-based database layer– Feed (RSS, Atom) ingestion and manipulation– An HTTP client– Input data filtering– Json support for AJAX– PDF generation and manipulation– RPC / Web service support– And more!

26

$ svn checkout http://framework.zend.com/svn/framework/trunk

• You can either get the framework preview release or check out the latest repository version

• Preview Release: http://framework.zend.com/

• Repository:

Getting Zend Framework

27

Installing Zend Framework

• Installing the framework is very easy, just modify your include_path to include the library/ directory

From php.ini:

From .htaccess

……include_path=“.:/usr/local/lib/php:/usr/local/lib/ZendFramework”……

……php_value include_path “.:/usr/local/lib/php:/usr/local/lib/ZendFramework”……

28

MVC Pattern

• MVC, or Model View Controller pattern is a powerful technique for developing user interfaces

• Originally was conceived for client-side GUI applications and adopted to the web

• Zend Framework provides a simplistic MVC model

29

Example Controller

• Note: indexAction() is declared abstract in Zend_Controller_Action, and therefore must be defined in any Action/Page controller

30

Passing Parameters

• Beyond $_GET/$_POST you can also pass parameters to a specific controller action by appending them to the URL:– http://localhost/foo/dosomething/param1/value1/param2/value2

• Parameters can be accessed from within the action by name– $this->_getParam(<key> [, <default value>]);– $this->_getAllParams();

31

Dealing with 404s

• 404 errors are no longer the responsibility of Apache per-se, and are more likely to result in a ‘Class not found’ / ‘Method not found’ exception

• To deal with these Zend Framework provides two methods– In the event of a controller not found, the

IndexController::noRoute() method will be called instead– In the event a controller action is not defined, it is the

responsibility of the controller to implement safeguards (i.e. __call() which traps bad action calls)

32

Chaining Controllers

• Controllers can be chained together to either break business logic out into components, or to otherwise redirect the user

– $this->_forward(<controller_name> [, <parameters>])– Parameters are a series of key/value pairs– Controller Chaining does not occur until the current action is complete, to

immediately forward you must return from the current action after calling _forward()

• Forwarding does not cause a refresh on the client, to physically refresh the browser

– $this->_redirect(<url>);

33

Final thoughts on MVC

• Although the pattern dictates three individual class types, they are as conceptual as functional

• For instance a “model” or “view” isn’t absolutely necessary to gain most of the benefit of MVC– You can always perform queries from a controller– You can always print output from a controller

• Although not necessary, they are never the less recommended

34

Input Filtering

35

Zend_InputFilter

• Security is a primary concern in Zend Framework

• As such, we provide facilities to clean and manage untrusted data in your applications via Zend_InputFilter and Zend_Filter– Provides a number of methods for filtering

data against many common data types (digits, alphanumeric, alpha, phone, etc.)

36

Using Zend_InputFilter

• With Input Filter you can both test data types and retrieve filtered data easily

• Note, by default the source of the data and all of it’s references are destroyed when filtered

37

Zend_Mail

• Simplifies building and sending e-mail

• Supports MIME types and multipart e-mail

• Supports multiple transports and persistent connections automatically

• Supports large file attachments via the streams API improving performance

38

Sending HTML mail is now really easy

39

Zend_Search

• PHP 5 implementation of the popular Lucene search engine from the Java world.

• Simplified API

• Requires no special PHP extensions

• Fully compatible with the binary index format of Java Lucene 1.4 and above

40

Zend_Search Features

• Ranked Searching– Best results always first

• Many Query types: phrase, wildcard, proximity

• Search by field (Author, title, body, etc.)• Robust, and simple API

– One-method intelligent searches against indexes, or complex OO queries if desired

– Index multiple document types, with different field requirements

41

Using Zend_Search

• Using Zend Search is very easy

• The search engine also boasts a parser for google-like searching: zend php -java

42

Adding documents to the index

43

Cool things about Zend_Search

• The Lucene search engine allows you to index multiple document types in a single index, each with different index fields– Index Individual documents with different searchable

criterion

– I.e. Index code samples by functions used, while articles by title, author, and keywords in the same index

• Because it is 100% compatible with Lucene 1.4+, it is compatible with all pre-created index files

44

Any Question