DOCSLIB.ORG

Practical PHP Object Injection

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Practical PHP Object Injection Practical PHP Object Injection Practical PHP Object Injection $(whoami) Brendan Jamieson (@hyprwired) . Wellington based consultant for Insomnia Security . Infosec . Linux . Python . CTF (@hamiltr0n_ctf) . Apparently 16/12/2015 Practical PHP Object Injection Talk Overview 1. Theory 4. TODO.txt Objects 101 Future ideas PHP Serialization 101 Magic Methods + Autoloading PHP Object Injection 101 2. Bug Hunting Finding PHP Object Injection Finding useful POP chains 3. Exploitation Building POP chains Demos 16/12/2015 Practical PHP Object Injection PHASE 1 - THEORY 16/12/2015 Practical PHP Object Injection Objects in PHP . Objects in code can represent anything . An object is defined by a class . e.g. a Hacker object is defined by the Hacker class 16/12/2015 Practical PHP Object Injection Hacker class class Hacker { private $beard_length; public function __construct(){ $this->beard_length = 0; } public function grow_beard($grow_length){ $this->beard_length += $grow_length; } } 16/12/2015 Practical PHP Object Injection Hacker objects <?php require("./Hacker.php"); $hyprwired = new Hacker(); . 16/12/2015 Practical PHP Object Injection Hacker objects <?php require("./Hacker.php"); $hyprwired = new Hacker(); $hyprwired->grow_beard(0); // Maybe one day . 16/12/2015 Practical PHP Object Injection Hacker objects <?php require("./Hacker.php"); $hyprwired = new Hacker(); $hyprwired->grow_beard(0); // Maybe one day $metlstorm = new Hacker(); . 16/12/2015 Practical PHP Object Injection Hacker objects 16/12/2015 Practical PHP Object Injection Hacker objects <?php require("./Hacker.php"); $hyprwired = new Hacker(); $hyprwired->grow_beard(0); $metlstorm = new Hacker(); $metlstorm->grow_beard(9001); 16/12/2015 Practical PHP Object Injection What is (de)serialization used for? . (De)serialization allows for easy transfer of objects. e.g. serialize() an object to a string . write string to a file . unserialize() file’s contents back into an object . Deserialization of data is not necessarily dangerous . Deserialization of user controllable data is 16/12/2015 Practical PHP Object Injection PHP Serialized Format . boolean . NULL b:<value>; N; // NULL b:1; // True b:0; // False . string s:<length>:"<value>"; . integer s:8:"INSOMNIA"; // "INSOMNIA" i:<value>; i:1; // 1 . array i:-3; // -3 a:<length>:{key, value pairs}; a:2:{s:4:"key1";s:6:"value1"; . double s:4:"key2";s:6:"value2";} d:<value>; // array("key1" => "value1", "key2" => "value2"); d:1.2345600000000001; // 1.23456 16/12/2015 Practical PHP Object Injection Serialization Example – Class Definition <?php . Foobar.php class Foobar{ private $state = 'Inactive'; public function set_state($state){ $this->state = $state; } public function get_state(){ return $this->state; } } 16/12/2015 Practical PHP Object Injection Serialization Example – Class Definition <?php . Foobar.php class Foobar{ private $state = 'Inactive'; . Example class “Foobar” public function set_state($state){ $this->state = $state; } public function get_state(){ return $this->state; } } 16/12/2015 Practical PHP Object Injection Serialization Example – Class Definition <?php . Foobar.php class Foobar{ private $state = 'Inactive'; . Example class “Foobar” public function set_state($state){ $this->state = $state; . Simple class that has a “state” } property public function get_state(){ return $this->state; } } 16/12/2015 Practical PHP Object Injection Serialization Example - serialize() <?php . serialize.php require('./Foobar.php'); $object = new Foobar(); . New Foobar object is created $object->set_state('Active'); . Property is set, object serialized $data = serialize($object); file_put_contents('./serialized.txt', . Serialized value is saved to file $data); ?> 16/12/2015 Practical PHP Object Injection Serialization Example - Serialized Object Format $ cat serialized.txt O:6:"Foobar":1:{s:13:"Foobarstate";s:6:"Active";} O:<class_name_length>:"<class_name>":<number_of_properties>:{<properties>}; 16/12/2015 Practical PHP Object Injection Serialization Example - Serialized Object Format $ cat serialized.txt O:6:"Foobar":1:{s:13:"Foobarstate";s:6:"Active";} O:<class_name_length>:"<class_name>":<number_of_properties>:{<properties>}; . O:6:"Foobar" . Object, 6 character long name (“Foobar”) 16/12/2015 Practical PHP Object Injection Serialization Example - Serialized Object Format $ cat serialized.txt O:6:"Foobar":1:{s:13:"Foobarstate";s:6:"Active";} O:<class_name_length>:"<class_name>":<number_of_properties>:{<properties>}; . O:6:"Foobar" . Object, 6 character long name (“Foobar”) . 1 . Object has 1 property 16/12/2015 Practical PHP Object Injection Serialization Example - Serialized Object Format $ cat serialized.txt O:6:"Foobar":1:{s:13:"Foobarstate";s:6:"Active";} O:<class_name_length>:"<class_name>":<number_of_properties>:{<properties>}; . O:6:"Foobar" . Object, 6 character long name (“Foobar”) . 1 . Object has 1 property . s:13:"Foobarstate";s:6:"Active"; . Object’s properties; “state” with value “Active” 16/12/2015 Practical PHP Object Injection Serialization Example - Serialized Object Format $ cat serialized.txt O:6:"Foobar":1:{s:13:"Foobarstate";s:6:"Active";} O:<class_name_length>:"<class_name>":<number_of_properties>:{<properties>}; . O:6:"Foobar" . Object, 6 character long name (“Foobar”) Wait a minute… “Foobarstate” is only . 1 11 characters long? . Object has 1 property . s:13:"Foobarstate";s:6:"Active"; . Object’s properties; “state” with value “Active” 16/12/2015 Practical PHP Object Injection Serialization Example - Serialized Object Format 16/12/2015 Practical PHP Object Injection Serialization Example - unserialize() <?php . unserialize.php require('./Foobar.php'); . File containing serialized object read $filename = './serialized.txt'; $file_contents = file_get_contents($filename); . Object created from stored value $object = unserialize($file_contents); var_dump($object->get_state()); var_dump($object); ?> 16/12/2015 Practical PHP Object Injection Magic Methods - Part I PHP classes have a specific subset of “magic methods”: . __construct(), __destruct() . __call(), __callStatic() . __get(), __set() . __isset(), __unset() . __sleep(), __wakeup() . __toString() . __invoke() . __set_state() . __clone() . __debugInfo() 16/12/2015 Practical PHP Object Injection Magic Methods - Part I PHP classes have a specific subset of “magic methods”: . __construct(), __destruct() . __call(), __callStatic() . __get(), __set() . __isset(), __unset() . __sleep(), __wakeup() . __toString() For this talk, we’ll . __invoke() focus on these two. __set_state() . __clone() . __debugInfo() 16/12/2015 Practical PHP Object Injection Magic Methods - Part II . __wakeup() "unserialize() checks for the presence of a function with the magic name __wakeup(). If present, this function can reconstruct any resources that the object may have.“ . __destruct() "The destructor method will be called as soon as there are no other references to a particular object, or in any order during the shutdown sequence.“ 16/12/2015 Practical PHP Object Injection PHP Object Injection 101 . Stefan Esser first presented in 2009 and 2010 . “Shocking News in PHP Exploitation” . “Utilizing Code Reuse/ROP in PHP Application Exploits” . Makes use of POP (Property-oriented Programming) chains . Similar to ROP; reuse existing code (POP gadgets) . Vulnerability introduced using unsafe deserialization methods on untrusted input: . unserialize(<user_input>) 16/12/2015 Practical PHP Object Injection PHP Object Injection - Examples . CVE-2012-0911: Tiki Wiki unserialize() PHP Code Execution . CVE-2012-5692: Invision IP.Board unserialize() PHP Code Execution . CVE-2014-1691: Horde Framework Unserialize PHP Code Execution . CVE-2014-8791: Tuleap PHP Unserialize Code Execution . CVE-2015-2171: Slim Framework PHP Object Injection . CVE-2015-7808: vBulletin 5 Unserialize Code Execution . MWR Labs: Laravel -> Cookie Forgery -> Decryption -> RCE 16/12/2015 Practical PHP Object Injection Magic Methods and POP Chains . POP = Property Oriented Programming . Name is from the fact that adversary controls all properties of an object that can be used during deserialization . Just like ROP, start with initial gadgets, which can then call other gadgets . In PHP Object Injection, the initial gadgets are magic methods such as __wakeup() or __destruct() . Useful POP chain methods: . Command Execution . File Access . exec() . file_put_contents() . passthru() . file_get_contents() . popen() . unlink() . system() 16/12/2015 Practical PHP Object Injection Simple Class POP Chain <?php class DemoPopChain{ private $data = “bar\n”; private $filename = ‘/tmp/foo’; public function __wakeup(){ $this->save($this->filename); } public function save($filename){ file_put_contents($filename, $this->data); } ?> 16/12/2015 Practical PHP Object Injection Simple Class POP Chain <?php __wakeup() magic method in the class DemoPopChain{ DemoPopChain class private $data = “bar\n”; private $filename = ‘/tmp/foo’; public function __wakeup(){ $this->save($this->filename); } public function save($filename){ file_put_contents($filename, $this->data); } ?> 16/12/2015 Practical PHP Object Injection Simple Class POP Chain <?php Calls DemoPopChain- class DemoPopChain{ >save() method, with the filename private $data = “bar\n”; property private $filename = ‘/tmp/foo’; public function __wakeup(){ $this->save($this->filename); } public function save($filename){ file_put_contents($filename, $this->data); } ?> 16/12/2015 Practical PHP Object Injection Simple Class POP Chain <?php DemoPopChain- >save() method class DemoPopChain{ writes contents
Load more

Recommended publications
  • Deserialization Vulnerability by Abdelazim Mohammed(@Intx0x80)
    Deserialization vulnerability By Abdelazim Mohammed(@intx0x80) Thanks to: Mazin Ahmed (@mazen160) Asim Jaweesh(@Jaw33sh) 1 | P a g e Table of Contents Serialization (marshaling): ............................................................................................................................ 4 Deserialization (unmarshaling): .................................................................................................................... 4 Programming language support serialization: ............................................................................................... 4 Risk for using serialization: .......................................................................................................................... 5 Serialization in Java ...................................................................................................................................... 6 Deserialization vulnerability in Java: ............................................................................................................ 6 Code flow work........................................................................................................................................... 11 Vulnerability Detection: .............................................................................................................................. 12 CVE: ........................................................................................................................................................... 17 Tools: .........................................................................................................................................................
    [Show full text]
  • Resin 3.2 Reference
    Contents 1 Overview 3 1.1 Features - Resin and Resin Professional . .3 2 Installation 11 2.1 Resin Installation Quick Start . 11 2.2 Resin Installation . 16 2.3 Resin Web Server . 16 2.4 Resin with Apache . 22 2.5 Resin with IIS . 34 2.6 How the Plugins Dispatch to Resin . 44 3 Command-Line 47 3.1 Command-Line Configuration . 47 4 Admin Guide 51 4.1 User Guide: Administration . 51 5 Watchdog 63 5.1 Resin Watchdog . 63 6 Virtual Hosts 73 6.1 Virtual Hosting . 73 7 Clustering 89 7.1 Resin Clustering . 89 8 Web Applications 109 8.1 An Overview of Web Applications . 109 9 Logging 137 9.1 Log . 137 10 Administration 163 10.1 Resin Administration . 163 1 CONTENTS 11 Deployment 177 11.1 Packaging/Deployment . 177 12 Proxy Caching 181 12.1 Server Caching . 181 13 Quercus 193 13.1 Quercus: PHP in Java . 193 14 Security 217 14.1 Resin Security . 217 15 Inversion of Control 271 15.1 Resin IoC . 271 15.2 Scheduled Task . 308 16 Amber 327 16.1 Amber . 327 17 Embedding Resin 355 17.1 Embedding Resin . 355 18 Filters 367 18.1 Filters . 367 19 BAM 379 19.1 BAM . 379 20 Comet 405 20.1 Comet/Server-Push Servlet . 405 21 Remoting 411 21.1 Resin Remoting . 411 21.2 Hessian . 417 22 Messaging 423 22.1 Resin Messaging . 423 23 JSF - Java Server Faces 435 23.1 JSF - Java Server Faces . 435 24 Configuration Tags 445 24.1 cluster: Cluster tag configuration .
    [Show full text]
  • Volume 108, Issue 12
    BObcaTS TEAM UP BU STUDENT WINS WITH CHRISTMAS MCIE AwaRD pg. 2 CHEER pg. 3 VOL. 108 | ISSUE NO.12| NOVEMBER 28TH, 2017 ...caFFEINE... SINCE 1910 LONG NIGHT AG A INST PROCR A STIN A TION ANOTHER SUCCESS Students cracking down and getting those assignments out of the way. Photo Credit: Patrick Gohl. Patrick Gohl, Reporter am sure the word has spread Robbins Library on Wednesday in the curriculum area. If you of the whole event. I will now tinate. I around campus already, ex- the 22nd of November. were a little late for your sched- remedy this grievous error and Having made it this far in ams are just around the cor- The event was designed to uled session you were likely to make mention of the free food. the semester, one could be led ner. ‘Tis the season to toss your combat study procrastination, get bumped back as there were Healthy snacks such as apples to believe, quite incorrectly, amassed library of class notes in and encourage students to be- many students looking for help and bananas were on offer from that the home stretch is more of frustration, to scream at your gin their exam preparation. It all to gain that extra edge on their the get go along with tea and the same. This falsehood might computer screen like a mad- started at 7:00PM and ran until assignments and exams. coffee. Those that managed be an alluring belief to grasp man, and soak your pillow with 3:00AM the following morn- In addition to the academic to last until midnight were re- hold of when the importance to tears of desperation.
    [Show full text]
  • Modern Web Application Frameworks
    MASARYKOVA UNIVERZITA FAKULTA INFORMATIKY Û¡¢£¤¥¦§¨ª«¬­Æ°±²³´µ·¸¹º»¼½¾¿Ý Modern Web Application Frameworks MASTER’S THESIS Bc. Jan Pater Brno, autumn 2015 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or ex- cerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Bc. Jan Pater Advisor: doc. RNDr. Petr Sojka, Ph.D. i Abstract The aim of this paper was the analysis of major web application frameworks and the design and implementation of applications for website content ma- nagement of Laboratory of Multimedia Electronic Applications and Film festival organized by Faculty of Informatics. The paper introduces readers into web application development problematic and focuses on characte- ristics and specifics of ten selected modern web application frameworks, which were described and compared on the basis of relevant criteria. Practi- cal part of the paper includes the selection of a suitable framework for im- plementation of both applications and describes their design, development process and deployment within the laboratory. ii Keywords Web application, Framework, PHP,Java, Ruby, Python, Laravel, Nette, Phal- con, Rails, Padrino, Django, Flask, Grails, Vaadin, Play, LEMMA, Film fes- tival iii Acknowledgement I would like to show my gratitude to my supervisor doc. RNDr. Petr So- jka, Ph.D. for his advice and comments on this thesis as well as to RNDr. Lukáš Hejtmánek, Ph.D. for his assistance with application deployment and server setup. Many thanks also go to OndˇrejTom for his valuable help and advice during application development.
    [Show full text]
  • Design Patterns in PHP and Laravel — Kelt Dockins Design Patterns in PHP and Laravel
    Design Patterns in PHP and Laravel — Kelt Dockins Design Patterns in PHP and Laravel Kelt Dockins [email protected] Design Patterns in PHP and Laravel Kelt Dockins Dolph, Arkansas USA ISBN-13 (pbk): 978-1-4842-2450-2 ISBN-13 (electronic): 978-1-4842-2451-9 DOI 10.1007/978-1-4842-2451-9 Library of Congress Control Number: 2016961807 Copyright © 2017 by Kelt Dockins This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made.
    [Show full text]
  • Vulnerable Web Application Framework
    University of Rhode Island DigitalCommons@URI Open Access Master's Theses 2015 Vulnerable Web Application Framework Nicholas J. Giannini University of Rhode Island, [email protected] Follow this and additional works at: https://digitalcommons.uri.edu/theses Recommended Citation Giannini, Nicholas J., "Vulnerable Web Application Framework" (2015). Open Access Master's Theses. Paper 629. https://digitalcommons.uri.edu/theses/629 This Thesis is brought to you for free and open access by DigitalCommons@URI. It has been accepted for inclusion in Open Access Master's Theses by an authorized administrator of DigitalCommons@URI. For more information, please contact [email protected]. VULNERABLE WEB APPLICATION FRAMEWORK BY NICHOLAS J. GIANNINI A THESIS SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN COMPUTER SCIENCE AND STATISTICS UNIVERSITY OF RHODE ISLAND 2015 MASTER OF SCIENCE THESIS OF NICHOLAS GIANNINI APPROVED: Thesis Committee: Major Professor Victor Fay-Wolfe Lisa DiPippo Haibo He Nasser H. Zawia DEAN OF THE GRADUATE SCHOOL UNIVERSITY OF RHODE ISLAND 2015 ABSTRACT Utilizing intentionally vulnerable web applications to teach and practice cyber security principles and techniques provides a unique hands-on experience that is otherwise unobtainable without working in the real world. Creating such applications that emulate those of actual businesses and organizations without exposing actual businesses to inadvertent security risks can be a daunting task. To address these issues, this project has created Porous, an open source framework specifically for creating intentionally vulnerable web applications. The implementation of Porous offers a simplified approach to building realistic vulnerable web applications that may be tailored to the needs of specific cyber challenges or classroom exercises.
    [Show full text]
  • Web Vulnerabilities (Level 1 Scan)
    Web Vulnerabilities (Level 1 Scan) Vulnerability Name CVE CWE Severity .htaccess file readable CWE-16 ASP code injection CWE-95 High ASP.NET MVC version disclosure CWE-200 Low ASP.NET application trace enabled CWE-16 Medium ASP.NET debugging enabled CWE-16 Low ASP.NET diagnostic page CWE-200 Medium ASP.NET error message CWE-200 Medium ASP.NET padding oracle vulnerability CVE-2010-3332 CWE-310 High ASP.NET path disclosure CWE-200 Low ASP.NET version disclosure CWE-200 Low AWStats script CWE-538 Medium Access database found CWE-538 Medium Adobe ColdFusion 9 administrative login bypass CVE-2013-0625 CVE-2013-0629CVE-2013-0631 CVE-2013-0 CWE-287 High 632 Adobe ColdFusion directory traversal CVE-2013-3336 CWE-22 High Adobe Coldfusion 8 multiple linked XSS CVE-2009-1872 CWE-79 High vulnerabilies Adobe Flex 3 DOM-based XSS vulnerability CVE-2008-2640 CWE-79 High AjaxControlToolkit directory traversal CVE-2015-4670 CWE-434 High Akeeba backup access control bypass CWE-287 High AmCharts SWF XSS vulnerability CVE-2012-1303 CWE-79 High Amazon S3 public bucket CWE-264 Medium AngularJS client-side template injection CWE-79 High Apache 2.0.39 Win32 directory traversal CVE-2002-0661 CWE-22 High Apache 2.0.43 Win32 file reading vulnerability CVE-2003-0017 CWE-20 High Apache 2.2.14 mod_isapi Dangling Pointer CVE-2010-0425 CWE-20 High Apache 2.x version equal to 2.0.51 CVE-2004-0811 CWE-264 Medium Apache 2.x version older than 2.0.43 CVE-2002-0840 CVE-2002-1156 CWE-538 Medium Apache 2.x version older than 2.0.45 CVE-2003-0132 CWE-400 Medium Apache 2.x version
    [Show full text]
  • Serializing C Intermediate Representations for Efficient And
    Serializing C intermediate representations for efficient and portable parsing Jeffrey A. Meister1, Jeffrey S. Foster2,∗, and Michael Hicks2 1 Department of Computer Science and Engineering, University of California, San Diego, CA 92093, USA 2 Department of Computer Science, University of Maryland, College Park, MD 20742, USA SUMMARY C static analysis tools often use intermediate representations (IRs) that organize program data in a simple, well-structured manner. However, the C parsers that create IRs are slow, and because they are difficult to write, only a few implementations exist, limiting the languages in which a C static analysis can be written. To solve these problems, we investigate two language-independent, on-disk representations of C IRs: one using XML, and the other using an Internet standard binary encoding called XDR. We benchmark the parsing speeds of both options, finding the XML to be about a factor of two slower than parsing C and the XDR over six times faster. Furthermore, we show that the XML files are far too large at 19 times the size of C source code, while XDR is only 2.2 times the C size. We also demonstrate the portability of our XDR system by presenting a C source code querying tool in Ruby. Our solution and the insights we gained from building it will be useful to analysis authors and other clients of C IRs. We have made our software freely available for download at http://www.cs.umd.edu/projects/PL/scil/. key words: C, static analysis, intermediate representations, parsing, XML, XDR 1. Introduction There is significant interest in writing static analysis tools for C programs.
    [Show full text]
  • 1 Introducing Symfony, Cakephp, and Zend Framework
    1 Introducing Symfony, CakePHP, and Zend Framework An invasion of armies can be resisted, but not an idea whose time has come. — Victor Hugo WHAT’S IN THIS CHAPTER? ‰ General discussion on frameworks. ‰ Introducing popular PHP frameworks. ‰ Design patterns. Everyone knows that all web applications have some things in common. They have users who can register, log in, and interact. Interaction is carried out mostly through validated and secured forms, and results are stored in various databases. The databases are then searched, data is processed, and data is presented back to the user, often according to his locale. If only you could extract these patterns as some kind of abstractions and transport them into further applications, the developmentCOPYRIGHTED process would be much MATERIAL faster. This task obviously can be done. Moreover, it can be done in many different ways and in almost any programming language. That’s why there are so many brilliant solutions that make web development faster and easier. In this book, we present three of them: Symfony, CakePHP, and Zend Framework. They do not only push the development process to the extremes in terms of rapidity but also provide massive amounts of advanced features that have become a must in the world of Web 2.0 applications. cc01.indd01.indd 1 11/24/2011/24/2011 55:45:10:45:10 PPMM 2 x CHAPTER 1 INTRODUCING SYMFONY, CAKEPHP, AND ZEND FRAMEWORK WHAT ARE WEB APPLICATION FRAMEWORKS AND HOW ARE THEY USED? A web application framework is a bunch of source code organized into a certain architecture that can be used for rapid development of web applications.
    [Show full text]
  • "Yii 2.0 Cookbook"
    Contents 0.1 Preface...............................1 1 Unnoticed basics3 2 Logging and error handling5 2.1 Logging: problems and solutions................5 3 Web essentials 11 3.1 URLs with variable number of parameters........... 11 3.2 Working with different response types............. 12 3.3 Managing cookies......................... 17 3.4 Handling incoming third party POST requests......... 19 4 SEO essentials 23 4.1 Enable pretty URLs....................... 23 4.2 Pagination pretty URLs..................... 24 4.3 Adding SEO tags......................... 25 4.4 Canonical URLs......................... 26 4.5 Using redirects.......................... 27 4.6 Using slugs............................ 28 4.7 Handling trailing slash in URLs................. 30 5 Forms 33 5.1 Using and customizing CAPTCHA............... 33 5.2 Working with ActiveForm via JavaScript............ 36 5.3 Uploading files.......................... 38 5.4 Custom validator for multiple attributes............ 41 6 Security 47 6.1 SQL injection........................... 47 6.2 XSS................................ 48 6.3 RBAC............................... 49 6.4 CSRF............................... 56 iii iv CONTENTS 7 Structuring and organizing code 59 7.1 Structure: backend and frontend via modules......... 59 7.2 Asset processing with Grunt................... 60 7.3 Using global functions...................... 64 7.4 Processing text.......................... 65 7.5 Implementing typed collections................. 66 7.6 MVC................................ 68 7.7 SOLID............................... 69 7.8 Dependencies........................... 70 8 View 73 8.1 Reusing views via partials.................... 73 8.2 Switching themes dynamically.................. 75 8.3 Post-processing response..................... 76 9 Models 77 10 Active Record 79 10.1 Single table inheritance..................... 79 11 i18n 83 11.1 Selecting application language.................. 83 11.2 Using IDs as translation source................. 87 12 Performance 89 12.1 Implementing backgroud tasks (cronjobs)..........
    [Show full text]
  • Cakephp Cookbook Documentation Release 4.X
    CakePHP Cookbook Documentation Release 4.x Cake Software Foundation Sep 25, 2021 Contents 1 CakePHP at a Glance 1 Conventions Over Configuration........................................1 The Model Layer................................................1 The View Layer.................................................2 The Controller Layer..............................................2 CakePHP Request Cycle............................................3 Just the Start...................................................4 Additional Reading...............................................4 2 Quick Start Guide 13 Content Management Tutorial......................................... 13 CMS Tutorial - Creating the Database..................................... 15 CMS Tutorial - Creating the Articles Controller................................ 19 3 4.0 Migration Guide 29 Deprecated Features Removed......................................... 29 Deprecations.................................................. 29 Breaking Changes................................................ 31 New Features.................................................. 37 4 Tutorials & Examples 41 Content Management Tutorial......................................... 41 CMS Tutorial - Creating the Database..................................... 43 CMS Tutorial - Creating the Articles Controller................................ 47 CMS Tutorial - Tags and Users......................................... 56 CMS Tutorial - Authentication......................................... 64 CMS Tutorial - Authorization.........................................
    [Show full text]
  • The Programmer's Guide to Apache Thrift MEAP
    MEAP Edition Manning Early Access Program The Programmer’s Guide to Apache Thrift Version 5 Copyright 2013 Manning Publications For more information on this and other Manning titles go to www.manning.com ©Manning Publications Co. We welcome reader comments about anything in the manuscript - other than typos and other simple mistakes. These will be cleaned up during production of the book by copyeditors and proofreaders. http://www.manning-sandbox.com/forum.jspa?forumID=873 Licensed to Daniel Gavrila <[email protected]> Welcome Hello and welcome to the third MEAP update for The Programmer’s Guide to Apache Thrift. This update adds Chapter 7, Designing and Serializing User Defined Types. This latest chapter is the first of the application layer chapters in Part 2. Chapters 3, 4 and 5 cover transports, error handling and protocols respectively. These chapters describe the foundational elements of Apache Thrift. Chapter 6 describes Apache Thrift IDL in depth, introducing the tools which enable us to describe data types and services in IDL. Chapters 7 through 9 bring these concepts into action, covering the three key applications areas of Apache Thrift in turn: User Defined Types (UDTs), Services and Servers. Chapter 7 introduces Apache Thrift IDL UDTs and provides insight into the critical role played by interface evolution in quality type design. Using IDL to effectively describe cross language types greatly simplifies the transmission of common data structures over messaging systems and other generic communications interfaces. Chapter 7 demonstrates the process of serializing types for use with external interfaces, disk I/O and in combination with Apache Thrift transport layer compression.
    [Show full text]