Zend Framework 1.11.0BETA1 Released

The Zend Framework team is pleased to announce the immediate availability of the first beta release of Zend Framework 1.11.0. This release is the culmination of several months of effort by contributors and Zend Framework partners, and offers several key new features, including support for mobile devices and the first stable release of the SimpleCloud API.

You may download the release from the following location:

(Note, beta releases appear separate from stable releases.)

This release is of BETA quality, and should be used for testing purposes only, not production. While the code has been well tested, we do expect there may be a few issues to resolve prior to a release candidate or general access release.

New Features in Zend Framework 1.11

Mobile Support

Zend Framework 1.11 marks the first release with explicit support for mobile devices, via the new component Zend_Http_UserAgent. This component was developed by Raphael Carles. Carles is CTO of Interakting, the digital agency of Business & Decision Group of France. Interakting employs 150 PHP professionals to build industrial PHP projects, and its clients include Canal +/Vivendi, BNP Paribas, Samsung France, Ministry of Education, Alapage (Orange), Orange Tunisia, and many others. As such, they have extensive experience in supporting mobile devices, and stepped forward to contribute to Zend Framework, which they leverage in their projects.

Zend_Http_UserAgent performs two responsibilities:

• User-Agent detection
• Device capabilities detection, based on User-Agent

The component includes a “features” adapter mechanism that allows developers to tie into different backends for the purpose of discovering device capabilities. Currently, the only shipped adapter is for the WURFL (Wireless Universal Resource File) API.

Luca Passani, author and lead of the WURFL project, has provided an exemption to Zend Framework to provide a non-GPL adapter accessing the WURFL PHP API.

Additional hooks into the component are provided via a Zend_Application resource plugin, and a Zend_View helper, allowing developers the ability to return output customized for the detected device (e.g., alternate layouts, alternate images, Flash versus HTML5 support, etc.).

Zend_Cloud: SimpleCloud API

During ZendCon 2009, Zend announced a prototype of the SimpleCloud API.
This API was to provide hooks into cloud-based document storage, queue services, and file storage.

Zend Framework 1.11.0 markes the first official, stable release of Zend_Cloud, Zend Framework’s PHP version of the SimpleCloud API. Current support includes:

  • Document Services:
    • Amazon SimpleDB
    • Windows Azure’s Table Storage
  • Queue Services:
    • Amazon Simple Queue Service (SQS)
    • Windows Azure’s Queue Service
    • All adapters supported by Zend_Queue:
      • Zend Platform JobQueue
      • Memcacheq
      • Relational Database
      • ActiveMQ
  • Storage Services:
    • Amazon Simple Storage Service (S3)
    • Windows Azure’s Blog Storage
    • Nirvanix
    • Local filesystem

When using any of the SimpleCloud APIs, your code will be portable across the various adapters provided, allowing you to pick and choose your services, as well as try different services until you find one that suits your application or business needs. Additionally, if you find you need to code adapter-specific features, you can drop down to the specific adapter in order to do so.

More adapters will be arriving in the coming months, giving you even more options!

We thank Wil Sinclair and Stas Malyshev for their assistance in the initial releases of Zend_Cloud.


Several classes in Zend Framework were patched to eliminate the potential for leaking timing information from the direct comparison of sensitive data such as plaintext passwords or cryptographic signatures to user input. These leaks arise from the normal process of comparing any two strings in PHP. The nature of the leaks is that strings are often compared byte by byte, with a negative result being returned early as soon as any set of non-matching bytes is detected. The more bytes that are equal (starting from the first byte) between both sides of the comparison, the longer it takes for a final result to be returned. Based on the time it takes to return a negative or positive result, it is possible that an attacker could, over many samples of requests, craft a string that compares positively to another secret string value known only to a target server simply by guessing the string one byte at a time and measuring each guess’ execution time. This server secret could be a plaintext password or the correct cryptographic signature of a request the attacker wants to execute, such as is used in several open protocols including OpenID and OAuth. This could obviously enable an attacker to gain sufficient information to perform a secondary attack such as masquerading as an authenticated user.

This form of attack is known as a Remote Timing Attack. Timing Attacks have been problematic in the past but to date have been very difficult to perform remotely over the internet due to the interference of network jitter which limits their effectiveness in resolving very small timing differences. While the internet still poses a challenge to performing successful Timing Attacks against a remote server, the increasing use of frameworks on local networks and in cloud computing, where network jitter may be significantly reduced, raises the distinct possibility that remote Timing Attacks will become feasible against ever smaller timing information leaks, such as those leaked when comparing any two strings. As a precaution, the applied changes implement a fixed time comparison for several classes which would be attractive targets in any potential remote Timing Attack. A fixed time comparison function does not leak any timing information useful to an attacker thus proactively preventing any future vulnerability to these forms of attack.

We thank Padraic Brady for his efforts in identifying and patching these vulnerabilities.

Dojo Support

Zend Framework’s default Dojo Toolkit version has been bumped to version 1.5.0.

SimpleDB Support

Zend Framework has provided support for Amazon’s Simple Storage Service (S3), Simple Queue Service (SQS), and Elastic Cloud Compute (EC2) platforms for several releases. Zend Framework 1.11.0 adds support for SimpleDB,

Amazon’s non-relational document storage database offering. Support is available for all SimpleDB operations via Zend_Service_Amazon_SimpleDb.

Zend Framework’s SimpleDB adapter was originally written by Wil Sinclair.

eBay Findings API Support

eBay has an extensive REST API, allowing developers to build applications interacting with their extensive data. Zend Framework 1.11.0 includes Zend_Service_Ebay_Findings, which provides complete support for the eBay Findings API. This API allows developers to query eBay for details on active auctions, using categories or keywords.

Zend_Service_Ebay was contributed by Renan de Lima and Ramon Henrique Ornelas.

New Configuration Formats

Zend_Config has been a quite popular component in Zend Framework, and has offerred adapters for PHP arrays, XML, and INI configuration files.
Zend Framework 1.11.0 now offers two additional configuration formats:

Zend_Config_Yaml provides a very rudimentary YAML-parser that should work with most configuration formats. However, it also allows you to specify an alternate YAML parser if desired, allowing you to lever tools such as PECL’s ext/syck or Symfony’s YAML component, sfYaml.

Zend_Config_Json leverages the Zend_Json component, and by extension ext/json.

Both adapters have support for PHP constants, as well as provide the ability to write configuration files based on configuration objects.

Stas Malyshev created both adapters for Zend Framework; Zend_Config_Json also had assistance from Sudheer Satyanarayana.

URL Shortening

Zend_Service_ShortUrl was added for this release. The component provides a simple interface for use with most URL shortening services, defining simply the methods “shorten” and “unshorten”. Adapters for two services, http://jdem.cz and http://tinyurl.com, are provided with this release.

Zend_Service_ShortUrl was contributed by Martin Hujer.

Additional View Helpers

Several new view helpers are now exposed:

• Zend_View_Helper_UserAgent ties into the Zend_Http_UserAgent
component, detailed above. It gives you access to the UserAgent
instance, allowing you to query for the device and capabilities.
• Zend_View_Helper_TinySrc is an additional portion of Zend
Framework’s mobile offering for version 1.11.0. The helper ties
into the TinySrc API, allowing you to a) provide device-specific
image sizes and formats for your site, and b) offload generation of
those images to this third-party service. The helper creates img
tags pointing to the service, and provides options for specifying
adaptive sizing and formats.
• Zend_View_Helper_Gravatar ties into the Gravatar API, allowing you
to provide avatar images for registered users that utilize the
Gravatar service. This helper was contributed by Marcin Morawski.

Download it today!

We’d appreciate your feedback on this release — please download and test it, and let us know what issues you encounter.

Also, please join me in extending a hearty round of congratulations to all the contributors involved in this release!

Matthew Weier O’Phinney

Using Action Helpers To Implement Re-Usable Widgets

Using Action Helpers To Implement Re-Usable Widgets

I had a twitter/IRC exchange yesterday with Andries Seutens and Nick Belhomme regarding applications that include widgets within their layout. During the exchange, I told Andriess not to use the action() view helper, and both Andriess and Nick then asked how to implement widgets if they shouldn’t use that helper. While I ended up having an IRC exchange with Nick to give him a general idea on how to accomplish the task, I decided a longer writeup was in order.


The situation all started when Andries tweeted asking about what he considered some mis-behavior on the part of the action() view helper — a situation that turned out not to be an issue, per se, but more a case of bad architecture within Zend Framework. His assumption was that calling action() would fire off another circuit of the front controller’s dispatch loop — which would mean he could rely on plugins he’d established to fire. However, action() does nothing of the sort. It instead pulls the dispatcher from the front controller, and manually calls dispatch() on a new action. As such, action helpers will trigger, but no front controller plugins will. Additionally, if a redirect or “forward” condition is detected, it simply returns an empty string.

The helper was done this way because Zend Framework does not render views a single time — it instead renders after each action, and accumulates views to render in the layout. If we were accumulating view variables and rendering once, and if we were using a finite state machine of some sort, we could probably operate the way one would expect — within the dispatch loop. Since we don’t, any solution around looping over actions (such as the ActionStack action helper/front controller plugin) or rendering the content of executing an action will be a hack. Note: ZF2’s MVC layer may make this possible… though still not necessarily recommended.

There are other reasons to avoid the use of these solutions, though. If you are invoking additional controller actions in order to help populate your view, you’re likely putting domain logic into your controllers. Think about it. The controller should only be responsible for taking the input, funneling it to the correct model or models, and then passing information on to the views

With that in mind, here’s the approach I recommended to Nick and Andries.

The Secret Weapon: Action Helpers

I’ve blogged about action helpers before. They’re a built-in mechanism in Zend Framework to allow you to extend your action controllers in a way that uses composition instead of inheritance.

One approach to widgets for Zend Framework makes use of these. Consider the following “user” module:

via read more.

Zend_Log with multiple writers

eschrader writes; So I was sitting here thinking to myself “This is Friday and I’m not getting much of anything done.  Maybe I should write another Friday Framework Highlight.”  I figured that it was a good idea so I pondered what I should write.  I came up blank and so I asked Matthew Weier O’Phinney.  “Multiple writers for Zend_Log,” he said.  I agreed.

If you were not aware, Zend_Log provides facilities for writing to multiple logs through the same log instance.  Additionally, you can do this via configuration options when using a Zend_Applicatin resource plugin.  Together those make for very powerful logging mechanisms.  “How?” you ask?  It’s really easy.  Take your application.ini file, which you use to configure your Zend_Application instance, and make it look something like this.  I’ll highlight the pertinent parts

phpSettings.display_startup_errors = 0
phpSettings.display_errors = 0
includePaths.library = APPLICATION_PATH "/../library"
bootstrap.path = APPLICATION_PATH "/Bootstrap.php"
resources.frontController.controllerDirectory = APPLICATION_PATH "/controllers"
resources.frontController.params.displayExceptions = 0
resources.log.stream.writerName = "Stream"
resources.log.stream.writerParams.stream = APPLICATION_PATH "/logs/application.log"
resources.log.stream.writerParams.mode = "a"
resources.log.stream.filterName = "Priority"
resources.log.stream.filterParams.priority = 4

[development : production]
phpSettings.display_startup_errors = 1
phpSettings.display_errors = 1
resources.log.stream.filterParams.priority = 7
resources.frontController.params.displayExceptions = 1
resources.log.firebug.writerName = "FireBug"
resources.log.firebug.filterName = "Priority"
resources.log.firebug.filterParams.priority = 7

What this does is say that “in production, log warnings and above to the log file, but in development, log debug to the log file AND send the log items to FirePHP.”  Then, in our index controller we put this:

class IndexController extends Zend_Controller_Action

public function indexAction()
$this->getInvokeArg('bootstrap')->log->debug("I'm at indexAction");


When we execute this code we get both the output in the application log

$ tail -f application.log
2010-09-10T16:27:25-05:00 DEBUG (7): I'm at indexAction

and in the Firebug log

X-Wf-Protocol-1            http://meta.wildfirehq.org/Protocol/JsonStream/0.2
X-Wf-1-Structure-1    http://meta.firephp.org/Wildfire/Structure/FirePHP/FirebugConsole/0.1
X-Wf-1-Plugin-1            http://meta.firephp.org/Wildfire/Plugin/ZendFramework/FirePHP/1.6.2
X-Wf-1-1-1-1            122|[{"Type":"LOG","File":"C:\\workspace\\Test\\application\\controllers\\IndexController.php","Line":8},"I'm at indexAction"]|

In production we wouldn’t get anything since this code would filter out debug logging, due to the resources.log.stream.filterParams.priority setting in the production section in application.ini.  Simple.  Done.

via e_schrade.

Zend_Server Class

e_schrade wrote a neat way of doing things in the service layer; Let’s take a quick look at something that’s kind of neat in Zend Framework. I’ve been doing some work with Adobe on some articles and one of them was on working with mobile clients with Flash. Well, me being the masochist I did more. What I did was write an example that worked as a full website, an Ajax website, a Flash service and an XML-RPC service.

Looks like a lot, right?  Actually there’s not much there.  Here’s the logic flow.

  • Is it an XMLHTTP Request and is it a POST? Create the Json server
  • Is it an AMF request? Create the AMF server
  • Is it an XmlRpc request? Create the XmlRpc server
  • Is it an XMLHTTP Request and is it a GET? Create the Service Map (for JSON-RPC 2.0)
  • If a service handler has been created add all of the application’s mappers, attach the service handler to the request and redirect to the service action.

And with that you have an application that can serve content for multiple different types of service with almost no effort on your part.  At least.. if you copy and paste this code.

Have a good Friday!!!

via Zend_Server – zf ffh zend_server on e_schrade – zend php.

Testing Zend Framework controllers in isolation

What I do is I have my controllers fetch all their dependencies from the bootstrap and/or front controller. The most common example is to pull the db resource from the bootstrap:

// in controller
$db = $this->getInvokeArg('bootstrap')->getResource('db');

But I also take it a step further. For example, if I’m using data mappers, I have the action controller check the front controller for the data mapper I need:

// in controller
$postsMapper = $this->getInvokeArg('posts_mapper');

I then update your unit test to inject the posts mapper with a stub:

// in unit test
$this->frontController->setParam('posts_mapper', $stubPostsMapper);

However, that invoke arg won’t exist in production, so I wrap that call in an if statement a la “lazy loading” style:

if (null === ($postsMapper = $this->getInvokeArg('posts_mapper'))) {
$postsMapper = new Default_Model_Mapper_Posts();

What this does is it allows me to stub in my stub posts mapper in my unit tests while letting the controller lazy-load the real one in production.

An alternative is to use Zend_Registry, but I find this to be a bit cleaner without the static calls.

Hector Virgen

Zend Framework 2.0 (2.0.0dev1)

Yesterday, the Zend Framework team tagged the first development milestone of Zend Framework 2.0 (2.0.0dev1). It is immediately downloadable from the Zend Framework servers:

* Zip package:


* tar.gz package:


NOTE! This release is not considered of production quality, and is released solely to provide a development snapshot for purposes of testing and research. Use at your own risk.

This release is the culmination of several months of work, and incorporates the following features:

* Removal of all require_once statements.

* Migration to namespaces.

* Refactoring of the test suite, including:

* Removal of all “AllTests.php” files.

* Removal of unreferenced test classes.

* Limited refactoring to move helper classes into their own files.

* Refactoring of conditional tests.

* Rewrite of Zend\Session from the ground up. This required creation of a new component, Zend\SignalSlot, for handling observers and creating filter chains.

* Addition of a new Zend\Stdlib namespace for interfaces and utility classes; in particular, we added extensions to SplQueue, SplStack, and  SplPriorityQueue to create serializable versions of these classes.

We have done some “real-world” testing of the release by building the Quick Start application, as well as migrating an existing demo application to ZF2. We were able to achieve both goals, demonstrating that while the release is certainly pre-alpha, it is definitely functional.

There is much work yet to be done. Today, we published a rough roadmap of milestones we will be working towards (1). This roadmap only addresses components with cross-cutting concerns, but serves as a guide for development in the coming months. If you are interested in contributing, be sure to sign our Contributors License Agreement (CLA), and read the “README-DEV.txt” file in the release. We also suggest you join the zf-contributors mailing list (2), and join in discussions on the #zftalk.dev IRC channel on Freenode.

[1] http://framework.zend.com/wiki/display/ZFDEV2/Zend+Framework+2.0+Milestones

[2] http://zend-framework-community.634137.n4.nabble.com/ZF-Contributor-f680267.html

Matthew Weier O’Phinney

Tutorial: Getting Started with Zend_Auth

Rob Allen writes; After too many months of neglect, I have completely rewritten my Zend_Auth tutorial so that it is compatible with Zend Framework 1.10!

As an experiment, I have written it directly in HTML, rather than PDF as before and cover the login form along with the login controller code required to authenticate a user using a database table. For good measure, I’ve included logging out and a view helper to show how to access the logged in user’s details.

The full source code is also available, if you don’t want to type it in 🙂

I hope you find it useful.

Tutorial: Getting Started with Zend_Auth – Rob Allen’s DevNotes.