Great looking and educational framework but I'm really struggling here and would appreciate any passing nginxexpers having a look.

I've played with some other basic MVC frameworks and never had the problem where a normal nginx try_file wouldn't work.

So, for example:

location /manage/login {
     try_files $uri $uri/ /manage/login/index.php;
}

But, of course, I can see from the .htaccess and application.php that this uses ?url= GET arguments.

So, 5 hours of reading http://wiki.nginx.org/HttpCoreModule#.24arg_PARAMETER and http://wiki.nginx.org/HttpCoreModule#.24args and http://nginx.org/en/docs/http/converting_rewrite_rules.html I've tried various of the following.... (the install folder is in manage/login

location /manage/login { try_files $uri $uri/ /manage/login/index.php?url=$uri; }

also

try_files $uri $uri/ /manage/login/index.php?url=$uri; try_files $uri $uri/ /manage/login/index.php?url=$args; try_files $uri $uri/ /manage/login/index.php?url=$uri$args; try_files $uri $uri/ /manage/login/index.php?$args;

and other combinations of the above. No matter what I put, it always says:

You are in the controller home, using the method index() You are in the View: application/views/home/index.php

I found another lost soul at http://forum.nginx.org/read.php?2,247614,247647#msg-247647 but again, he wasn't having much luck.

LITTLE NOTICE FROM PHP-MVC AUTHOR: Please don't panic, this ticket here shows some security issues that are indeed real, but php-mvc is on the same level of security like most mainstream PHP scripts in the world, like Wordpress, lots of CMS and major frameworks! The cases shown here are real, but these security "holes" can be found in most PHP scripts/installations in the world, including lots of popular sites.

These security issues will be fixed within the next 14 days by a simple movement of the index.php and .htaccess changes, so you can update to the fixed version easily.

Big thanks to @AD7six for the good information!

This project is insecure

Following on comments made to this SO question. If no other action comes from this ticket it would be wise to clarify beyond doubt the purpose of the repository as currently:

• "it's a training thing for people to get into the very basics of MVC"
• "People who [use this repository for real projects] should know what they do"

Which is quite contradictory, it's for beginners who know what they are doing.

The readme makes no mention of that; It is unfair to users who may choose this project for real applications to unwittingly find that the repository they have based their project on is infact fundamentally unsafe.

Consider the following actions:

ssh server
git clone https://github.com/panique/php-mvc.git
vim php-mvc/application/config/config.php

Resulting in:

$ tree php-mvc
|-- CHANGELOG.md
|-- README.md
|-- _tutorial
|   |-- donate-with-paypal.png
|   |-- tutorial-part-01.png
|   |-- tutorial-part-02.png
|   |-- tutorial-part-03.png
|   |-- tutorial-part-04.png
|   `-- tutorial-part-05.png
|-- application
|   |-- _install
|   |   |-- 01-create-database.sql
|   |   |-- 02-create-table-song.sql
|   |   `-- 03-insert-demo-data-into-table-song.sql
|   |-- config
|   |   |-- config.php
|   |   `-- config.php~ # <---- an editor file.
|   |-- controller
|   |   |-- home.php
|   |   `-- songs.php
|   |-- libs
|   |   |-- application.php
|   |   `-- controller.php
|   |-- models
|   |   |-- songsmodel.php
|   |   `-- statsmodel.php
|   `-- views
|       |-- _templates
|       |   |-- footer.php
|       |   `-- header.php
|       |-- home
|       |   |-- example_one.php
|       |   |-- example_two.php
|       |   `-- index.php
|       `-- songs
|           `-- index.php
|-- composer.json
|-- index.php
`-- public
    |-- css
    |   `-- style.css
    |-- img
    |   `-- demo-image.png
    `-- js
        `-- application.js

All application files are web accessible

Absolutely all files are accessible in a php-mvc project. For all not-php files that means the source can be read directly. Example:

$ curl http://example.com/php-mvc/composer.json
{
    "name": "panique/php-mvc",
    "type": "project",
    "description": "A simple PHP MVC boilerplate",
...

The problem is not limited to !php files, as most editors generate a tmp/swap/backup file any file that's edited on the server (or has noise uploaded - if it's deployed via ftp) is also accessible. In the example I gave a backup/swap file was generated for the config file, that file's contents are also now browsable:

$ curl http://server/php-mvc/application/config/config.php~
<?php

/**
 * Configuration
 *
 * For more info about constants please @see http://php.net/manual/en/function.define.php
 * If you want to know why we use "define" instead of "const" @see http://stackoverflow.com/q/2447791/1114320
 */

/**
 * Configuration for: Error reporting
 * Useful to show every little problem during development, but only show hard errors in production
 */
error_reporting(E_ALL);
ini_set("display_errors", 1);

/**
 * Configuration for: Project URL
 * Put your URL here, for local development "127.0.0.1" or "localhost" (plus sub-folder) is fine
 */
define('URL', 'http://127.0.0.1/php-mvc/');

/**
 * Configuration for: Database
 * This is the place where you define your database credentials, database type etc.
 */
define('DB_TYPE', 'mysql');
define('DB_HOST', '127.0.0.1');
define('DB_NAME', 'php-mvc');
define('DB_USER', 'root');
define('DB_PASS', 'mysql');

The code is also browsable via the .git folder

But the bad news doesn't stop there. You can also browse the .git folder if it is "deployed" with the application (if either the project is a checkout on the server, or the .git folder is uploaded via ftp):

$ curl http://example.com/php-mvc/.git/config
[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
[remote "origin"]
    fetch = +refs/heads/*:refs/remotes/origin/*
    url = https://github.com/panique/php-mvc.git
[branch "master"]
    remote = origin
    merge = refs/heads/master

In and of itself this may disclose sensitive information. Getting a valid response means that by looking around you can browse/download the whole git repo:

$ curl http://example.com/php-mvc/.git/packed-refs
# pack-refs with: peeled 
2c7c8b01ea5904098bc5a7a22a93781082c8eacc refs/remotes/origin/master
14b1162512b50d3ea0a71f8e0c501a7a30445bae refs/remotes/origin/develop

etc.

Solution

It is trivial to prevent this; the only side effect being that the public folder is the only folder that is web accessible.

• Move /index.php to /public/index.php

• Move /.htaccess to /public/.htaccess

• create a new root .htaccess file with the following contents:

  <IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteRule    (.*) public/$1    [L]
  </IfModule>
  

While I have no personal interest in using this project - I'd be grateful if you could address these problems to prevent inexperienced users trying to use it and inadvertently disclosing their application files to the public or worse losing their data etc.

In addition I recommend taking a look at projects such as h5bp's apache config as it addresses these and many more common problems out of the box.

Hi there!

Any reason why you load the css as follows <link href="<?php echo URL; ?>public/css/style.css" rel="stylesheet">

While it's also working like this <link href="public/css/style.css" rel="stylesheet">

Thanks!

if i type http://localhost/mini-master/home/a which is not declared in home Class, it has an error "Fatal error: Cannot redeclare class Model in /Applications/XAMPP/xamppfiles/htdocs/mini-master/application/model/model.php on line 4"

is it possible to redirect all not existing path back to root or index?

On https://github.com/panique/mini/blob/master/application/core/application.php#L72 this method is causing spaces that are encoded (%20) to be removed from the url. (No%20Space would become NoSpace)

I have fixed it by replacing L72 with $url = str_replace('\/', ' ', filter_var(str_replace(' ', '\/', $url), FILTER_SANITIZE_URL)); however there is probably a better way to do this.

The major "getting-started"-bottleneck in php-mvc is still to activate mod_rewrite, especially beginners have problems with that.

Laravel - and other frameworks - does something very interesting: They have a fallback when no mod_rewrite is activated that makes the applicaiton work exactly like with mod_rewrite, except that you always have index.php inside your URL, like http://x.x.x.x/index.php/help/showArticle/17.

I think php-mvc should do the same. Please have a look how to do this if you have some knowledge about this topic.

Interesting read on SO: http://stackoverflow.com/questions/975262/pretty-urls-without-mod-rewrite-without-htaccess http://stackoverflow.com/questions/5629683/serverpath-info-and-serverorig-path-info-in-php

Interesting file / behaviour in Laravel's root: https://github.com/laravel/laravel/blob/master/server.php

PATH_INFO is used in both Symfony and ZF

Quote from that file:

// This file allows us to emulate Apache's "mod_rewrite" functionality from the
// built-in PHP web server. This provides a convenient way to test a Laravel
// application without having installed a "real" web server software here.

As usual, please only commit into develop branch - never in master (it's only for stable public release). Or create a feature-branch (but I'm not sure if this is possible to easily in a public repo on GitHub).

This has also reduced the amount of code required in the controller lib. I also did some basic speed testing and the changes don't seem to have impacted performance.

If there's a reason you decided to only allow a maximum of three parameters that's fine :)

Hey people, as this barebone got quite good response and obviously is helpful, it might be useful to work on a "more advanced" version in 2014.

Goals: Implement very useful web technologies in a ready-to-go way to encourage people to use them.

UPDATE: This project will get an own repository, like php-mvc-advanced or similar

For example "php-mvc 2" could implement:

1.) SASS/Compass (the improved version of CSS) which compiles SCSS to CSS with PHP (http://leafo.net/scssphp/ does this, installable via Composer).

2.) A view engine, like Twig (installable via Composer).

3.) An ORM library (same here)?

4.) A slim/laravel-like routes.php that basically replaces all controller files

Feel free to add your ideas!

As this projects gains a lot of popularity (which I have never even thought of) and seems to be useful for lots of people, I'm thinking about going a step further and creating some kind of php-boilerplate out of it.

1. The web is full of excellent PHP-frameworks, and everybody who has the skills should use them, but:
2. A very high number of developers (and non-developers!!) does not have the skill or the time or the nerve to read into frameworks to use them, and in so many cases frameworks and CMS are soooo overdozed. I'm especially looking at the enourmous amount of people who do mostly frontend and need a supersimple - but modern, easy and secure - backend architecture for doing just a few database calls etc.

So, what problem does this solve ?

So many people build applications (with PHP) completely from scratch, without having any idea of application structure, oop, mvc, clean architecture, clean code, PSR, etc. Just spend some minutes on stackoverflow or the local university and you know what i mean. php-boilerplate could give beginners (!) and advanced developers an easy-to-understand naked base application, easy to install, easy to maintain, to get started, and killing all the major problems a completely self-built structure introduces (including lots of security problems).

Still not as good as a real framework, but 1000x better than the horrible mess of .php files we have all written back in the days.

Beside, it makes people learn clean, dry oop code from the beginning, encourages them to use PSR guidelines, use PDO, use Composer, get a feeling for security, use comments in the way they should be used, learn git and continious deployment (which can be supereasy and setup-free) etc.

What the difference to the current php-mvc project ?

1. Making the current project much easier to install, eliminating as much server setup steps as possible
2. Reducing the amount of configs
3. Make this work out-of-the-box in any mainstream server config (all big OS, all servers (apache, nginx, iis))
4. Detailed, but still compact and easy-to-understand documentation
5. Massive tutorials
6. Integrate all possible mainstream use cases (crud, search, pagination, ajax, json API [for all the heavy frontend-JS-apps], etc.
7. Integrate introductions into git / deployment / workflows to guide people into the right direction.

Maybe it even makes sense to collect money for this (via Kickstarter or getting supported by open-source-funding organizations etc.) !? This is just a first idea, but feel free to comment. I think this can be a very useful project.

Hi,

I just see that you are building url using structure "controller/action/param"

I guess if someone else have already introduce url routing more flexible so we can easy override url without need to change controller and method name.

Thanks!

Hello,

I'm using your framework for a school project and I have an issue with the https request. My problem is here: https://46.101.127.220/ How you will see the site is messy and I don't know how to fix this. One of the requirements of the project is to have SSL and HTTPS requests. Can you help me to understand how to fix this? I don't know if I need to fix something in the HTACCESS or in the code directly. Please help me. Thank you, Jakub

I migrated from Apache to Nginx, and found the provided nginx config example only worked after changing the root from / to /public.

This config worked as well:

server {
        server_name servername.devops.local;
        listen [::]:80;
        listen 80;

        access_log /var/log/nginx/servername.devops.local.log;
        error_log /var/log/nginx/servername.devops.local.log;

        root /var/www/servername/public_html;

        location / {
                index index.php;
                try_files /public/$uri /public/$uri/ /public/index.php?url=$uri;
        }

        location ~ \.php$ {
                fastcgi_pass unix:/run/php-fpm/www.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }
}

AlmaLinux 8.6 (Sky Tiger) Linux 4.18.0-372.16.1.el8_6.x86_64
nginx version: nginx/1.14.1
PHP 8.1.8

I'm posting this as an extension to conversation https://github.com/panique/mini/issues/55

Currently, i have set cron with curl and wget but we need to set cron with PHP CLI. But this wat increases the load on the server. So please explain me how we set the controller as cron with PHP CLI.

Waiting your responce Ankesh

Hello, how can i add login / register function for the whole framework, i saw this sample module but it is not clear can it be added and if so how?

I think this framework development is quite simple and needs a little more development :)

https://github.com/panique/php-login-one-file

I noticed that if we try to set $_GET parameters, the configuration will have to be as follows to work:

location / {
    try_files $uri $uri/ /index.php?url=$uri;        
    if ($args) {
        rewrite ^/(.+)$ /index.php?url=$1 last;
    }
}

Otherwise the framework does not take into account the parameters you pass, but only "url".

Hi everybody!

My web server is IIS 7.5 and I'm trying to convert .htaccess files to web.config but I have a problem with the second web.config (in /public). The links in the menu get an Error 404.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
       <rewrite>
          <rules>
             <rule name="Main Rule" stopProcessing="true">
                 <match url="^(.+)$" ignoreCase="false" />
                  <conditions logicalGrouping="MatchAll">
                    <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
                   <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
                    </conditions>
                  <action type="Rewrite" url="index.php?url={R:1}" appendQueryString="true" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

The web.config file in / works well:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
       <rewrite>
		  <rules>
		     <rule name="public" stopProcessing="true">
                            <match url="^(.*)" ignoreCase="false" />
                             <action type="Rewrite" url="public/{R:1}" />
                      </rule>
		  </rules>
         </rewrite>
    </system.webServer>
</configuration>

Can someone help me with this or with the configuration for URL in config.php?

Error details:

IIS Web Core
MapRequestHandler
StaticFile
0x80070002

URL request: http://localhost:81/site/public/page1
Path: C:\inetpub\wwwroot\site\public\page1

Thank you!!!