Lamp Zend Security
-
Upload
ram-srivastava -
Category
Technology
-
view
112 -
download
0
description
Transcript of Lamp Zend Security
LAMP security with Zend Framework
2009/Mar/10
YMSLI
2
What is LAMP?
• A stack of open source software for building web applications:
Linux: server operating system
Apache: web server software
MySQL: relational database
PHP-Python-Perl: scripting languages
3
LAMP doesn’t always use Linux
• LAMP Classic– Linux – Apache – MySQL – PHP etc
• WAMP– Windows Server – Apache – MySQL – PHP etc– very common combination (compare: 50% of JBoss users on Windows)
• WIMP– Windows Server – IIS – MySQL – PHP etc– somewhat common
• LIMP– Linux – IIS – MySQL – PHP etc– Logically possible but does not exist (MSFT refuses to port IIS to Linux)
• CHUMP– risc CHip – vendor Unix – (Apache) – MySQL – PHP etc– a few do this, but silly to run free software on expensive proprietary hardware
4
How big is LAMP?
• Gartner says open source middleware has 0.5% of total $8.5 billion middleware market in 2006– middleware category includes all elements of LAMP
stack except Linux OS• But also says open source middleware will reach 10% by
2010• This is by revenue... that means OSS MW has a much
larger share of actual installed base• 35% of mission critical apps by 2008 (Forrester)
5
Yes, but what is LAMP really?
• LAMP is used to build server-based apps that connect users to a database
• Vast majority of apps have this same general architecture:
WebServers
ApplicationServers
DataBases
Internet
6
Distribution of Open Source Licenses
SourceForge.Net Project Licenses (10/07/2004) - Total 57,466
38,532
6,1253,997
1,528 1,128 994 955 920 667 379 271 249 221 211 195 160 137 117 91 740
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
(Licenses with less than 70 projects not shown)
7
From: Matt Assay, OSBC 2006
Source: Robin Vasan, OSDL LUAC, 2006
Market Stage
Ma
rket
Pen
etra
tio
n
Innovators Early Adopters Early Majority Late Majority Laggards
Chasm
JBoss
Linux
PHP (Zend)
XenNagios
(Groundwork)
SugarCRM
Eclipse
Apache
MySQL
Snort (SourceFire)
Asterisk (Digium)
Alfresco
SpikeSource
*Geoffrey Moore
Open Source Crossing the Chasm*
8
Apache
• One of the first HTTP Web Servers– Written at NCSA (same group that wrote Mosaic web browser)– Apache = “a patchy server”– Released open source circa 1995, quickly became dominant– Still dominant today, approx. 65% of all web sites worldwide
• Apache Software Foundation created 1999– Internal structure based on coder meritocracy– 9 board members – leading programmers with long standing in
community– Mostly independent, but some industry players too (IBM, Google,
Covalent)• In time, many satellite projects spawned
– Apache now hosts many open source projects beyond HTTP server– Coalition of projects where authority is bottom up
9
Programming Language Trends
Trends measured by programming language book sales. Source: O’Reilly August 2006
10
Ruby King of the Scripting Hill
Trends measured by programming language book sales. Source: O’Reilly August 2006
11
PHP Usage Growth
12
LAMP has a Java variant: “LATMJSHS”
Linux: server operating system
Apache: web server software
Tomcat: JSP/servlet container (Apache)
MySQL: relational database
Java: programming language
Spring, Hibernate, Struts: open source Java frameworks
13
ZEND Framework – Specially for LAMP security
14
Welcome
• Today I’ll be introducing you to the Zend Framework– What it is– Why we’re doing it– How to use it– Where it’s going– How to be a part of it
15
Getting Started
• Zend Framework is..– A modular collection of PHP classes based on PHP
5 to simplify common tasks– A starting point for your applications– A demonstration of PHP 5 best practices– A smaller component of the PHP Collaboration
Project
• Zend Framework isn’t…– A free-reign open source project– A religion
16
Goals of the Framework
• Zend Framework strives to be fundamentally….– An industry-leading framework for PHP application development– A partnership between many companies already experienced in
PHP Framework development
• Zend Framework strives to be technically…– A source of high-quality, PHP 5 / E_STRICT compatible
application components– Completely PHP 5 powered, requiring as few external PHP
extensions as necessary– A minimal object hierarchy to achieve the necessary goals– Modular design allowing developers to use the framework at
will, as they see fit.
17
Why Yet another Framework?
• Keep PHP competitive with other technologies– .NET, Java, etc.
• Provide “clean” IP to enable commercial use– Real companies can’t just “borrow” code from the
Internet without clear licensing
• “Extreme Simplicity”: It may not be simple technically, but using it should be.
• Take full advantage of PHP 5
18
The Framework License
• Zend Framework is licensed using a PHP/BSD style license– Anyone can use it, for anything, no strings
attached – period.
• Along with the license of the framework itself, contributors must sign a Contributor License Agreement (CLA)
19
There’s no such thing as a free…
• Why spend so much time and effort on something, just to give it away?– Yes, They’re still interested in making money
• For the continued success of PHP it must be a collaboration beyond OSS hackers– Through the PHP Collaboration project, and
projects like Zend Framework, we can leverage the knowledge of some of the best in the industry in the benefit of PHP as a whole
– As you might expect, Zend benefits with PHP
20
We eat our own dog food
• Zend Framework is more than unit-tested, it is used in real-life production environments– Gives us the ability to test performance, ease of
use, etc. in a practical environment– Zend and its partners are already using the
preview release of the Framework to speed development of their applications
– Both the Framework homepage (framework.zend.com) and new Developer’s Zone (devzone.zend.com) use the preview release of Framework as their foundation.
21
The grail: Extreme Simplicity
• Many of PHP 5’s most exciting new technologies are really simple to use:– Simple XML– SOAP– Tidy
• While the underlying technologies may be extremely complex, the end-user APIs are reduced to an extremely simple interface
22
Getting the Grail
• To achieve the grail of extreme simplicity– “Simple things should be simple, complex things should
be possible”
• Use-at-will architecture– You shouldn’t be forced into buying the whole pizza
just for a slice– Use individual components (controller/model) without
being forced to use everything (your own template/view)
• Configuration-less– The framework should be plug-and-go, no configuration
files necessary
23
Zend Framework from 10,000 feet
24
Completely PHP-5 focused
• Requires PHP 5.0.4 or later for near future• Takes full advantage of the PHP exception
model• Constants are all at the class-level• No functions in global namespace• ZE2 / SPL technologies fully utilized where it
makes sense• Black magic __magic() functions used very
sparsely
25
Preview Release
• PR 1.2 is the latest preview release of the Framework including many immediately useful tools such as:– A basic MVC framework for application design– A PDO-based database layer– Feed (RSS, Atom) ingestion and manipulation– An HTTP client– Input data filtering– Json support for AJAX– PDF generation and manipulation– RPC / Web service support– And more!
26
$ svn checkout http://framework.zend.com/svn/framework/trunk
• You can either get the framework preview release or check out the latest repository version
• Preview Release: http://framework.zend.com/
• Repository:
Getting Zend Framework
27
Installing Zend Framework
• Installing the framework is very easy, just modify your include_path to include the library/ directory
From php.ini:
From .htaccess
……include_path=“.:/usr/local/lib/php:/usr/local/lib/ZendFramework”……
……php_value include_path “.:/usr/local/lib/php:/usr/local/lib/ZendFramework”……
28
MVC Pattern
• MVC, or Model View Controller pattern is a powerful technique for developing user interfaces
• Originally was conceived for client-side GUI applications and adopted to the web
• Zend Framework provides a simplistic MVC model
29
Example Controller
• Note: indexAction() is declared abstract in Zend_Controller_Action, and therefore must be defined in any Action/Page controller
30
Passing Parameters
• Beyond $_GET/$_POST you can also pass parameters to a specific controller action by appending them to the URL:– http://localhost/foo/dosomething/param1/value1/param2/value2
• Parameters can be accessed from within the action by name– $this->_getParam(<key> [, <default value>]);– $this->_getAllParams();
31
Dealing with 404s
• 404 errors are no longer the responsibility of Apache per-se, and are more likely to result in a ‘Class not found’ / ‘Method not found’ exception
• To deal with these Zend Framework provides two methods– In the event of a controller not found, the
IndexController::noRoute() method will be called instead– In the event a controller action is not defined, it is the
responsibility of the controller to implement safeguards (i.e. __call() which traps bad action calls)
32
Chaining Controllers
• Controllers can be chained together to either break business logic out into components, or to otherwise redirect the user
– $this->_forward(<controller_name> [, <parameters>])– Parameters are a series of key/value pairs– Controller Chaining does not occur until the current action is complete, to
immediately forward you must return from the current action after calling _forward()
• Forwarding does not cause a refresh on the client, to physically refresh the browser
– $this->_redirect(<url>);
33
Final thoughts on MVC
• Although the pattern dictates three individual class types, they are as conceptual as functional
• For instance a “model” or “view” isn’t absolutely necessary to gain most of the benefit of MVC– You can always perform queries from a controller– You can always print output from a controller
• Although not necessary, they are never the less recommended
34
Input Filtering
35
Zend_InputFilter
• Security is a primary concern in Zend Framework
• As such, we provide facilities to clean and manage untrusted data in your applications via Zend_InputFilter and Zend_Filter– Provides a number of methods for filtering
data against many common data types (digits, alphanumeric, alpha, phone, etc.)
36
Using Zend_InputFilter
• With Input Filter you can both test data types and retrieve filtered data easily
• Note, by default the source of the data and all of it’s references are destroyed when filtered
37
Zend_Mail
• Simplifies building and sending e-mail
• Supports MIME types and multipart e-mail
• Supports multiple transports and persistent connections automatically
• Supports large file attachments via the streams API improving performance
38
Sending HTML mail is now really easy
39
Zend_Search
• PHP 5 implementation of the popular Lucene search engine from the Java world.
• Simplified API
• Requires no special PHP extensions
• Fully compatible with the binary index format of Java Lucene 1.4 and above
40
Zend_Search Features
• Ranked Searching– Best results always first
• Many Query types: phrase, wildcard, proximity
• Search by field (Author, title, body, etc.)• Robust, and simple API
– One-method intelligent searches against indexes, or complex OO queries if desired
– Index multiple document types, with different field requirements
41
Using Zend_Search
• Using Zend Search is very easy
• The search engine also boasts a parser for google-like searching: zend php -java
42
Adding documents to the index
43
Cool things about Zend_Search
• The Lucene search engine allows you to index multiple document types in a single index, each with different index fields– Index Individual documents with different searchable
criterion
– I.e. Index code samples by functions used, while articles by title, author, and keywords in the same index
• Because it is 100% compatible with Lucene 1.4+, it is compatible with all pre-created index files
44
Any Question