Love Fuel?    Donate

Thoughts, ideas, random notes, ramblings...

Anything about PHP in general, and FuelPHP in particular. Sometimes serious, sometimes with a big wink. But always with a message. Do you have an opinion about an article? Don't forget to comment!

It has been quite a busy 7 months since the last release. Unfortunately not all spend on FuelPHP, due to personal circumstances. But there is good news too!

New team member

Steve West has been added to the core development team. Steve is currently lead developer at London based eCommerce specialists Ve Interactive. Steve was already very active in IRC, and working on improving the functionality of the ORM. His main focus will be on rewriting the ORM for version 2, on Fieldsets and Validation, and on unit testing.

Security fixes

This release fixes for three potential security issues.

The first one concerns "Request_Curl". If you have enabled auto format (which it is by default up until 1.7.1), it is possible for the webserver targeted by the request to craft a response that can potentionally harm your application and/or your server. A proof-of-concept has shown that it is possible to delete files (limited to the access rights of your webserver user). As of version 1.7.2, auto formatting is off by default. If you enable it, make sure you can trust your request target!

The second one concerns a possible SQL injection vulnerability, related to incorrect validation of the parameters of the "select()" method. This has been fixed, which means incorrect use (using embedded quotes such as in "DB::select("LOWER \"field\")")" is no longer possible, you will have to use "DB::expr()" instead.

The last one is a minor issue related to error messages. If error messages are enabled (typically not in a production environment), and you have used unvalidated input values in message, it is possible to introduce an XSS attack. All error messages passed to the frameworks error and exception handlers are now escaped. A similar issue existed in the profiler, related to the display of the contents of "$_GET". This issue has been addressed too.

It is strongly suggested to upgrade your applications to this release. If it is not possible, make sure to check you code for any of these vulnerabilities, and fix them.

Composer

One of the biggest requests from the community over the last year has been the ability to be able to use Composer, both for installation of the framework and installation of framework components and dependencies. As of this release, you can install FuelPHP completely though composer, either via "composer create-project", or via installing the downloaded zip from this site or a git clone of fuel/fuel repository, and then run a "composer update" to install the core and the packages.

Viewmodel becomes Presenter

As of now, you will see changes appear in preparation for Fuel v2. The first one that makes it into a v1 release is the Presenter, which replaces the Viewmodel. The Presenter is backwards compatible, and the framework will make sure you code doesn't break if it still uses the Viewmodel. But you are encouraged to change it. This can be done using a search-and-replace, the API of the Presenter is compatible with that of the Viewmodel.

One of the smaller changes is the option to fully namespace your controllers (\Controller\Foo\Bar\Baz), which is the way v2 controllers will operate.

Fixes and improvements

As usual, there is a long list of fixes and improvements, too long to discuss here. Please check the changelog to see what has been changed or improved since the last release.

What about version 2?

No worries, we haven't forgotten that. Almost all our spare time goes into development of version 2. Because of the highly modular architecture of version 2, it is possible to use finished components in an existing version 1.x appliaction. For example, you have been using it's upload component since version 1.6. Several people have reported that they have switched their validation and fieldsets to the new version 2 components. Currently the new ORM and Auth components are being worked on. Both will be rewritten from scratch. Once they are finished, we will release a first alpha of version 2.