Zend Framework Tutorials

Zend framework is a PHP framework that allows PHP developers to design their projects using the Model-View-Controller (MVC) architectural pattern. Together with the Object Oriented features of PHP 5+, it allows PHP to stop being a “Personal Home Page” scripting tool and become a language in which you can really design big projects. I am not going to explain further why Object Oriented Programming, tiered/modular architectures and separation of Model, View and Controller are critical for project designing, development and maintenance, as thorough analysis can be found in any textbook. (I also believe that those concepts should be obvious to any senior software architect/engineer that plans to design and/or implement a medium/large project).

Noteworthy Introductory Tutorials:

• Zend framework’s quick start tutorial: This is a great starting tutorial in order to understand the fundamental concepts.
• Akra’s tutorial: Somewhat more advanced than the quick start tutorial. It is a nice introduction to some more concepts, even though Arka’s approach does not always follow the MVC pattern.
• Pádraic Brady’s tutorial and on-line book. I must note that his writing style is quite enjoyable and very easy to follow (for the geeks among us – exaggerating a little bit – he has a “Tanenbaum” style of writing):
  • Example Zend Framework Blog Application Tutorial: Even though it is written for Zend framework version 1.5 (which has many differences with respect to version 1.9.1), it is quite useful as it introduces some new techniques, it presents in depth the basic concepts (a good supplement to the first two tutorials) and it adds authentication and authorization examples, modules, plugins and lots of other features. Just remember that he is using an older version of the framework, so I advise you to use Zend_Application and config files in order to setup your environment (paths, views, controllers, layouts)  instead of the methodology presented in part 3 and some of the part 4 (you can use my simple template app if you want a different approach).
    Edit: For some reason, I could not find Parts 9 and 10 of the tutorial in Brady’s blog. You can find a version of part 9 [here].
  • Zend framework – Surviving the deep end: This is a work in progress that can serve as a thorough introduction to the framework. It is partially based in the blog application tutorial, but covers more aspects as the author has more space than a blog post in order to discuss about design decisions, etc. I believe that there are many more advanced features to be added, but even now one could find some interesting chapters like the ones about performance optimisation and unit tests.

• A small tutorial on how to modularize the guest book application that was presented in the quick start tutorial: [1] [2]. I shouldn’t add it together with the general overall tutorials that I mention in this post (and that’s why I haven’t linked to many other, very helpful, specific tutorials), but I think that adding modules to an application is (1) a very important concept and, even though it is trivial, (2) it is not adequately explained in the on-line documentation of Zend Framework.

Video Tutorials (VidCasts):

• I liked the video tutorials in the Zend framework’s website. It’s a great 20-30 min way to understand the basic concepts of Zend framework before diving into the tutorials.
• Even better, Zendcasts has more than 40 in depth video tutorials. Just skip the first 5-6 tutorials, which are covered by the official video tutorials. Also the first vidcats in Zendcasts site use the older 1.7 version (a different approach is used for the bootstrap, etc) and would be a wrong starting point for someone working with the newer versions of the framework.

Other than the few available tutorials, the best resource for all the available features is the extended Programmer’s Reference Guide, which can be found in Zend framework’s web site, and Zend’s Dev Zone. In order not to get lost trying to figure out where to begin (as the chapters are alphabetically ordered according to the name of the different components) , you must have some basic understanding about the framework and how it works, so I would propose first reading a couple of the abovementioned tutorials.
In my opinion, a nice set of starting chapters are:

• 4. Zend_Application
• 12. Zend_Controller
• 15. Zend_Db
• 23. Zend_Form
• 28. Zend_Layout
• 37. Zend_Navigation
• 5. Zend_Auth
• 2. Zend_Acl

Also, if you are going to build a lot of Zend apps, learn how to use the Zend command line tool and always create your projects and add controllers and actions by using it. If you are a windows user and have installed Zend Framework 1.9 or 1.9.1 (latest release at the time of writing this post), know that the Zend tool does not work properly in windows. The solution is to download version “1.8.4 patch 1″ from the zend archives and use its command line tool instead. You will save a lot of time and frustration 😉

Finally, after building a couple of projects, I realized that there is always a “startup repetition” phase where I must update the bootstrap.php, create a layout, add a dummy CSS, etc , so I  created a simple template app, which I use when I want to do fast 2 min tests. You can download it if you want from here (you must use Zend Framework 1.8 and above)!

Never add a "Contact Us" form without a captcha

I have created a couple of websites during the last years and one thing that I have learned is that there are more bots out there than you can handle.

In the beginning I was thinking that adding a mechanism in my web projects for moderating user input would be enough and that I could manually check and approve any submitted comment. Moreover, I made the mistake of adding a “Contact Us” form in a couple of the web sites that I published on the web.

What did I do wrong?
1. I only checked for valid emails and I allowed any user input without using a captcha.
2. My systems would email me any comment the moment it was submitted.

So, what happened? All those bots out there started autosubmitting random text strings. And I am talking about bots entering the most silly random generated comments.
For example, in a low traffic alumni site that I have created 4-5 years ago for the School of Electrical and Computer Engineering of National Technical University of Athens, the ratio of user submitted comments to automatically generated comments (that passed my checks) was 1 to 50.

But the most interesting fact, and the reason I am writing this post, was the submissions from the bots. As a software engineer I would assume that in any publicly available form, the bots would try to find vulnerabilities, inject code or scripts, post links to malicious websites, try to attack my database, etc. And that’s why I have built a mechanism to prevent those attacks, assuming that I would never see any spam. But I was amazed when I realized the kind of submissions that were not regular attacks or random strings. Some examples follow:

• “Billiards, pool Croatia Service”
• “Tired of a competitor’s site? Hinder the enemy? Fed pioneers or copywriters? … Kill Their Sites! …” (full list of prices followed and methods to contact them)
• “Very nice site!” (and 100s of other similar generic messages)
• “Hi, cool site, good writing ;)”  (and 100s of other blog oriented generic messages)
• “to: Admin – If You want to delete your site from my spam list, please visit this site …”
• … etc ….

I can not understand how those people make money from those automatically generated messages, but I know one thing: They don’t stop submitting again and again… Every day…

So, the next time you are going to add a form in any project you create, either request for the user to be logged in (and having being checked through some form of captcha during the registration phase) or use a captcha…