Add this to your bash completion (eg. /etc/bash_completion.d/symfony under Debian or /etc/profile.d/symfony under Redhat) file and source it and you’ll get a number of symfony completions.

(more…)

PHPMailer is a widely deployed utility class used in PHP application to handle emails sent through sendmail, PHP mailto() or SMTP. It is used in PHP applications such as WordPress, Mantis, WebCalendar, Group-Office and Joomla. The last official release happened on July 11, 2005.

If you have configured PHPMailer to use sendmail it has a remote command execution vulnerability due to a lack of input validation. sendmail is queried through the popen function which is called with a string constructed from non-escaped user input.

Line 393 in the SendmailSend function in class.phpmailer.php has the vulnerable code. If the Sender property is set by the initiating script it is possible to execute arbitrary commands.

if ($this->Sender != “”)
$sendmail = sprintf(”%s -oi -f %s -t”, $this->Sendmail, $this->Sender);
else
$sendmail = sprintf(”%s -oi -t”, $this->Sendmail);

if(!@$mail = popen($sendmail, “w”))
The Sender property is most typically set in the host application by reading the value of the e-mail field or comment forms, which is where most attack vectors will be found.

The solution of course is to properly escape the input with the escapeshellarg() or escapeshellcmd() functions.

Alternatively, you can enable the PHP feature safe_mode, though many PHP applications such as the TinyMCE spellchecker in WordPress will break as a result of this. The safe_mode documentation comes with a warning of its own:

The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren’t very realistic, many people, especially ISP’s, use safe mode for now.

I have notified PHPMailer about this on their SourceForge bug tracker, see issue 1734811

This article was sourced from http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/

Ok, so a current project i’m working on is rolling out potentially hundreds of sites..
All of these sites are using the same base, but have different configuration, design and data for each one..

A problem has been how to roll all these sites out, while keeping them easy to update with bug fixes and modifications..

Here’s my solution..

Firstly we start with the config files.. app.yml and view.yml are very site individual, so what do you do if you want some site specific settings?

Well, in your app/config folder, create an app_local.yml and a view_local.yml - these will be your local config files, while the app.yml and view.yml contain settings that are the same for all of your sites…

Here’s an example of how the app.yml and app_local.yml would work from my sites..

all:
  #parameters for the gallery and avatar directories and sizes
  galleries:
    size_limit:         30
    limit:              20
    gallery_count:      25
    upload_dir:         < ?php echo sfConfig::get('sf_web_dir')?>/images/media/galleries/uploads
    allowed_image_types: [image/jpeg, image/jpg, image/pjpeg, image/gif, image/png, image/bmp, image/tiff]
    allowed_video_types: [video/mov, movie/quicktime, video/mpeg, video/x-ms-asf, video/x-msvideo, video/x-ms-wmv]

And here’s my app_local.yml

prod:
  #MUST EDIT THESE PARAMETERS - FOR PRODUCTION ONLY
    site_name:              Skeleton Site
    cookie:                 skeleton
    site_domain:            skeleton.com
    site_support_email:     support@< ?php echo sfConfig::get('app_site_domain')?>

    merchant:
      id:                   4
      pass:                 password

all:
	#SHOULD EDIT THESE PARAMETERS
  #the selected attributes for the member profiles - eg, what profile questions to ask.. refer to db
  member:
    attributes:           [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25]

  swf:
    heading_font:         DeliciousHeavy

Ok.. so hopefully the division is starting to make sense…

Now we need to configure the handlers… This part requires some small hacks of the symfony core files..

lets start with app.yml (note the paths are my personal nix paths.. im presuming you know where your symfony core files are)

open up /usr/local/lib/php/symfony/symfony.php and at around line 97, add this in:

  if ($file = $configCache->checkConfig($sf_app_config_dir_name.'/app_local.yml', true))
  {
    include($file);
  }

(more…)

So..

What a fun morning!

We had a problem.. We are rolling out a stack of sites using the same base code and trying to avoid hardcoding ANYTHING except for css and ymls…

So, lightbox decided that they would hardcode the location of the fileLoadingImage and the fileBottomNavCloseImage..

Me and the man dk have been working on a solution.. let’s start from the top..

Firstly we need to pass the location of the images folder into the javascript.. our first dilemma.. so we basically want to call lightbox.js?imagepath=/path/to/images

our View.yml looks something like this

 viewgallerySuccess:
  stylesheets: [lightbox]
  javascripts: [getRequest()->getRelativeUrlRoot()?>/js/lightbox.js?imagepath=getRequest()->getRelativeUrlRoot()?>]

Now, symfony seems to have a problem with adding .js to the end of everything, so we’ve hacked up the AssetsHelper.php as such:

function _compute_public_path($source, $dir, $ext, $absolute = false)
{
  if (strpos($source, '://'))
  {
    return $source;
  }

  $request = sfContext::getInstance()->getRequest();
  $sf_relative_url_root = $request->getRelativeUrlRoot();
  if (strpos($source, '/') !== 0)
  {
    $source = $sf_relative_url_root.'/'.$dir.'/'.$source;
  }

  $tail = '';
  if(strpos($source, '?') !== false )
  {
    list($source, $tail) = explode('?', $source, 2);
  }

  if (strpos(basename($source), '.') === false)
  {
    $source .= '.'.$ext;
  }

  if(strlen($tail) > 0)
  {
    $source .= '?'. $tail;
  }

  if ($sf_relative_url_root && strpos($source, $sf_relative_url_root) !== 0)
  {
    $source = $sf_relative_url_root.$source;
  }

  if ($absolute)
  {
    $source = 'http'.($request->isSecure() ? 's' : '').'://'.$request->getHost().$source;
  }

  return $source;
}

Now that should take care of that!!

Next step..

We need a way to retrieve the variable from the url in lightbox.js so we’ve ripped and hacked up this code from scriptaculous..

var imagepath;

$A(document.getElementsByTagName("script")).findAll( function(s) {
     return (s.src && s.src.match(/lightbox\.js(\?.*)?$/))
	}).each( function(s) {
     var path = s.src.match(/\?.*imagepath=([a-z\/:.]*)/)[1];
		imagepath = path;
});

var fileLoadingImage = imagepath+”/images/lightbox/loading.gif”;
var fileBottomNavCloseImage = imagepath+”/images/lightbox/close.gif”;

This will get the var imagepath out of the url and pass it through to lightbox to display those images..

Well that’s just about enough out of me for now, have fun!

Why not…

Ok, so there are three parts.. the JS tool, the helper and the implementation..

I am a fan of Walter Zorn’s wz_tooltip.. so lets start by downloading that..

Step 1
http://www.walterzorn.com/scripts/wz_tooltip.zip
Get the zip file and put the .js file in your /web/js folder..
In the appropriate view.yml, add a reference to wz_tooltip

Step 2
Let’s create the helper.. /lib/helpers/TooltipHelper.php

Here’s the code

/**
 * WzTooltipsHelper.
 *
 * @package    symfony
 * @subpackage helper
 * @author     Daniel Graetzer 
 * @version
 */

require_once(sfConfig::get(’sf_symfony_lib_dir’).’/helper/JavascriptHelper.php’);

function tooltip($tip, $content, $link, $options = array())
{
	$tip = addslashes($tip);
	$new_option['onmouseover'] = “return escape(’”.$tip.”‘);”;
	$options = array_merge($new_option, $options);
	return link_to($content, $link, $options);
}

function init_tooltips()
{
	return ‘‘;
}

Step 3:
Implementation…

The first function - tooltip() - is to create the tooltip.. and the second function - init_tooltips() - MUST be placed before the tag, or at least after the last tooltip.

Here’s a sample call to tooltip()

echo tooltip('Here\s the tooltip!', 'Link Text', 'home/index, array('class' => 'classy_class'));

There’s plenty of customisation that can be done, check out http://www.walterzorn.com/tooltip/tooltip_e.htm for more details..

That’s about all there is to it… Have fun!

taken from: http://d.hatena.ne.jp/hilde/20070204

This shell script allows you to run the symfony pake tool from within a subfolder of the project…

• save it as sf.sh (or whatever you want)
• set your shell path to the file location
• give the file open read permissions

sf.sh

#!/bin/sh
# -*- shell-scrpt -*-

while [ 1 ]; do
    if [ -f 'symfony' ]; then
        symfony $*
        exit $?
    fi

    cd ..
    if [ "$PWD" = "/" ]; then
        echo ‘cannot find symfony project directory’
        exit 1
    fi
done

Here’s an easy solution to the lack of image rollover ability in symfony..

• Create a helper, or use an existing one…
• Add the following function:

• function rollover($link, $normal, $hover, $target_id)
  {
  	return link_to(image_tag($normal, 'id='.$target_id), $link, array(
  			'onmouseover' => "rollover('".$target_id."', '".image_path($hover)."');",
  			'onmouseout' => "rollover('".$target_id."', '".image_path($normal)."');"
  		));
  }

• Add the following into a common javascript file.. Create one if you don’t have one already..

• function rollover(id, image)
  {
  	$(id).src = image;
  }

• Call the helper with the following:

• echo rollover('home/index', 'home.jpg', 'home_hover.jpg', 'home_link'); 

• The four parameters are the following: Destination Link, Normal Image, Rollover Image, ID Name for the Image…

You could easily put the Javascript inline if you wanted….. but that’s not very nice now is it?

For the many mac developers out there using TextMate, there is now a book on the market to help you become the world’s most pragmatic developer. Check out the book…

But on a more important note, I will be posting some random TextMate snippets along the way to speed up your coding..

Let’s start with some Symfony snippets.. I’ll add them exactly as I use them, if you have improvements or suggestions, just click that comment button!

Firstly, to install the Symfony bundle, perform the following steps.

• mkdir -p /Library/Application\ Support/TextMate/Bundles
• cd /Library/Application\ Support/TextMate/Bundles
• svn --username anon --password anon co http://macromates.com/svn/Bundles/trunk/Bundles/Symfony.tmbundle

Propel, New Query…

Key Equivalent: ^Q
Scope Selector: text.html
Snippet: \$c = new Criteria();

Now, to add some Propel criteria

Key Equivalent: ^W
Scope Selector: text.html
Snippet: \$c->add(${1:Object}Peer::${2:COLUMN}, ${3:Parameter});

This is how Symfony recommends a simple select

\$c = Criteria();
\$c->add(${1}Peer::$2, $3);
\$${1/.*/\L$0/} = ${1}Peer::doSelectOne(\$c);
$0

I’ll be back soon with some YAML snippets that might interest you Symfony developers…

Here is a very basic script which should come in handy to anyone trying to set up a login redirection (to the referer) whilst maintaining parameters being passed through the url.

Using $this->getRequest()->getReferer(); will only pass through the module and action.

  public function executeLogin()
  {
    //This captures the referer's uri
    $referer = sfRouting::getInstance()->getCurrentInternalUri(true);

    if ($this->getRequest()->getMethod() != sfRequest::POST)
    {
      $this->getRequest()->getParameterHolder()->set('referer', $referer);
    }
  }

  public function executeChecklogin()
  {
    //if the referer isn't set, set it to the home page
    $referer = $this->getRequestParameter('referer', '@homepage');

    //if the referer is the login page itself, refer to the home page
    if($referer == 'user/login') $referer = '@homepage';
    return $this->redirect($referer);
  }