JonnyReeves.co.uk » CakePHP

Validating Image Uploads in CakePHP

Jonny — Mon, 16 Jun 2008 21:17:46 +0000

Following on from my article on CakePHP – Uploaded File Validation in Models, today’s snippet will show you how to use Cake’s validation rules to reject invalid images, or images which do not conform to a specified mime-type. This code relies on the fact that you have LibGD installed on your webserver.

Class Image extends AppModel
{
var $name = ‘Image’;
var $validate = array
(
‘uploaded_image’ => array
(
// Ensure file uploaded OK.
‘valid_upload’ => array
(
‘rule’ => array(‘validateUploadedfile’, false),
‘message’ => ‘An error occured whilst uploading your image, please try again’,
),

// Check image is valid / of allowed mime-type
‘valid_image’ => array
(
‘rule’ => array(‘isValidImageFile’),
‘message’ => ‘The file you have uploaded is not a valid or is unsupported, please try again’,
),
),
);

/**
* Custom validation rule for uploaded files.
*
* @param Array $data CakePHP File info.
* @param Boolean $required Is this field required?
* @return Boolean
*/
function validateUploadedFile($data, $required = false)
{
// Remove first level of Array ($data['Image']['size'] becomes $data['size'])
$upload_info = array_shift($data);

// No file uploaded.
if ($required && $upload_info[’size’] == 0) {
return false;
}

// Check for Basic PHP file errors.
if ($upload_info[‘error’] !== 0) {
return false;
}

// Finally, use PHP’s own file validation method.
return is_uploaded_file($upload_info[‘tmp_name’]);
}

/**
* Use LibGD to determine if an uploaded file is a valid Image by
* running it’s mime-type against a list of $valid_mime_types
*
* @param Array $data CakePHP File info
* @return Boolean
*/
function isValidImageFile($data)
{
// Allow these image mime-types, all others will be rejected
$valid_mime_types = array(‘image/jpeg’, ‘image/png’, ‘image/gif’);

$data = array_shift($data);
$filename = $data[‘tmp_name’];

// Catch I/O Errors.
if (!is_readable($filename)) {
debug(__METHOD__." failed to read input file: {$filename}");
return false;
}

// Retrieve the MimeType of Image, if none is returned, it’s invalid
if (!$mime_type = $this->getImageMimeType($filename)) {
debug(__METHOD__." Uploaded file does not have a mime-type");
return false;
}

// Check the MimeType against the array of valid ones specified above
if (!in_array($mime_type, $valid_mime_types)) {
debug(__METHOD__." Uploaded image has rejected Mime Type: {$mime_type}");
return false;
}

if (!$this->__getImageHandleFromFile($filename)) {
return false;
}

return true;
}

/**
* Use LibGD to return an uploaded Image’s MimeType as a String, FALSE
* on errors or if the file is not an image
*
* @param String $filename Absolute path to file on disc
* @return String Image MimeType of $filename, false on failure
*/
function getImageMimeType($filename)
{
// If this error is thrown LibGD is not installed on your server.
if (!function_exists(‘getimagesize’)) {
debug(__METHOD__." LibGD PHP Extension was not found, please refer to http://www.php.net/manual/en/book.image.php");
exit();
}

$result = getimagesize($filename);
if (isset($result[‘mime’])) {
return $result[‘mime’];
}
return false;
}

/**
* Returns a LibGD Image Handle for a file specified by $filename
*
* @param String $filename Absolute path to image on disk
* @return LibGD Image Handle on success, FALSE on failure.
*/
function __getImageHandleFromFile($filename)
{
if (!is_readable($filename)) {
debug(__METHOD__." failed to read input file: {$filename}");
return false;
}

// Retrieve the MimeType of Image, if none is returned, it’s invalid
if (!$mime_type = $this->getImageMimeType($filename)) {
debug(__METHOD__." failed to assertain MimeType of {$filename}");
return false;
}

switch ($mime_type)
{
case ‘image/jpeg’:
$handle = @imagecreatefromjpeg($filename);
break;

case ‘image/gif’:
$handle = @imagecreatefromgif($filename);
break;

case ‘image/png’:
$handle = @imagecreatefrompng($filename);
break;

default:
debug(__METHOD__." Didn’t know how to handle MimeType: {$mime_type}");
$handle = false;
break;
}

return $handle;
}
}

As always, comments are welcome.

CakePHP – Open_Basedir Restriction in Effect

Jonny — Mon, 02 Jun 2008 21:37:17 +0000

Just deployed a CakePHP on a domain running PLESK and dismayed by the fact that your screen is over-flowing with warning about open_basedir restriction in effect? Fear not, the solution is straight forward (if a little frustrating to track down!)

The problem is caused by this line (line 69, in CakePHP 1.2.0.6311) in /app/webroot/index.php:

ini_set(‘include_path’, CAKE_CORE_INCLUDE_PATH . PATH_SEPARATOR . ROOT . DS . APP_DIR . DS . PATH_SEPARATOR . ini_get(‘include_path’));

Yep, the simple ini_set command – the clues should start coming in thick and fast that ini_set is causing the problem due to the fact taht open_basedir complains about paths with :’s in their structure. (:’s being the delimiter for automatically included paths). To fix the problem you can either remove the if logic that calls “function_exists(’ini_set’)”, or, if you prefer to fix things the corret way, modify the line to remove the final stub:

ini_set(‘include_path’, CAKE_CORE_INCLUDE_PATH . PATH_SEPARATOR . ROOT . DS . APP_DIR . DS);

Good luck, hope that saves someone a headache! :)

CakePHP – Uploaded File Validation in Models

Jonny — Sun, 01 Jun 2008 14:56:26 +0000

Allowing uploaded files from users in PHP is fraught with danger, however by using CakePHP 1.2 and a little bit of Validation magic we can make things a little safer.

First, lets start by creating a simple upload form where the users will be uploading their files

# /app/views/story/create.ctp
echo $form->create(‘Story’, array(‘action’ => ‘create’, ‘type’ => ‘file’));
echo $form->input(‘Story.title’);
echo $form->input(‘Story.contents’);
echo $form->input(‘Artwork.uploaded_image’, array(‘type’ => ‘file’, ‘label’ => ‘Front Artwork’));
echo $form->end(‘Create Story’);
?>

Nothing particularly special here, just to note that we are specifying “type” => “file” in the $form::create method – this makes cake inset the correct ‘enc-type’ value in the generated

tag.

So when the user submits this form, they will be pointed towards the create() action in the StoryController, lets have a look at that:

# /app/controllers/story_controller.php
uses(’sanitize’);
class StoryController extends AppController {
var $name = ‘Story’;

/**
* Allows users to create a story with an attached image.
*/
function create() {
// Always sanitize user input, except for the filename (which will get borked on Win32 systems)
$uploaded_image = $this->data[‘Artwork’][‘uploaded_image’];
$this->data = Sanitize::clean($this->data);
$this->data[‘Artwork’][‘uploaded_image’] = $uploaded_image

if ($this->Story->save()) {
// redirect to the new story.
$this->Session->setFlash(‘Your story was created!’);
$insert_id = $this->Story->getInsertID();
$this->redirect(‘/stories/view/’ . $insert_id);
} else {
$this->Session->setFlash(‘Please correct the errors below’);
}
}
}
?>

Again, nothing unusual here, however, without any data validation we would be opening the application up to attack from malicious users – they could upload PHP code that could later be executed; for more general reading on the woes of File uploads, see what Chris Shiftlett, author of Essential PHP Security has to say.

So, in order to add some security to Image uploads, we are going to add some simple custom validation rules to the Artwork Model:

# /app/models/artwork.php
Class Artwork extends AppModel {
var $name = ‘Artwork’;
var $validate = array (
‘uploaded_image’ => array (
‘valid_upload’ => array (
‘rule’ => array(‘validateUploadedFile’, false)
‘message’ => ‘An error occurred whilst uploading’,
),
),
);

/**
* Custom validation rule for uploaded files.
*
* @param Array $data CakePHP File info.
* @param Boolean $required Is this field required?
* @return Boolean
*/
function validateUploadedFile($data, $required = false) {
// Remove first level of Array ($data['Artwork']['size'] becomes $data['size'])
$upload_info = array_shift($data);

// No file uploaded.
if ($required && $upload_info[’size’] == 0) {
return false;
}

// Check for Basic PHP file errors.
if ($upload_info[‘error’] !== 0) {
return false;
}

// Finally, use PHP’s own file validation method.
return is_uploaded_file($upload_info[‘tmp_name’]);
}
}
?>

Now, before the Data from the form is saved, it will be passed through the custom validation above – any invalid, or potentially malicious files will be rejected. This could easily be split into separate validation methods to provide more understandable error messages for your users.

CakePHP, Using CounterCache to keep track of Comments

Jonny — Sat, 31 May 2008 18:59:06 +0000

CounterCache is one of the new Core Model Behaviors in CakePHP 1.2 and it’s an absolute life saver for working with hasMany relationships where you want to OrderBy one of the children.

The basic idea behind a CounterCache is to keep tabs on how ‘children’ a specific model has, this is best explained in a quick snippet of CakePHP. In the following example I am going to set up a simple relationship of Users and Comments, however, I want to add the condition that posts must be moderated first as indicated by a `moderated` Boolean field in the MySQL table.

CREATE TABLE IF NOT EXISTS `users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(50) NOT NULL,
`comments_count` int(11) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

CREATE TABLE IF NOT EXISTS `comments` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`user_id` int(11) NOT NULL,
`message` text NOT NULL,
`moderated` tinyint(1) NOT NULL DEFAULT ‘0′,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

Users Model: /app/models/user.php

Class User extends AppModel {
var $name = ‘User’;
var $hasMany = array(‘Comment’);
}
?>

Comments Model: /app/models/comment.php

Class Comment extends AppModel {
var $name = ‘Comment’;
var $actsAs = array(‘CounterCache’);
var $belongsTo = array (‘User’ => array (
‘foreignKey’ => ‘user_id’,
‘counterCache’ => ‘comments_count’,
‘counterScope’ => ‘moderated = 1′)
);
}
?>

So the magic being introduced here is the CounterCache Behavior, in the Comments Model (which is included by setting is in the $actsAs variable). The ‘counterCache’ => ‘comments_count’ value indicates to column on the `belongsTo` table which will contain the count and the ‘counterScope’ => ‘moderated = 1′ tells CounterCache to only increment the count value when this SQL Condition is met (in this case, `moderated` must be true).

Go ahead, build the application, throw some scaffolding into the Controllers and watch in awe as the `comments_count` value increments each time you save a comment where $data['Comment']['moderated'] = 1. Now, this is all well and good, but in the real world, users won’t be setting the moderated value, instead you will have a Controller action to approve comments which looks something like this:

/**
* Callback for when Cake has performed a save() operation.
*
* @param Boolean $created TRUE if save() performed a CREATE
* @return Void
*/
function afterSave($created) {
if (!$created) {
// Kick the counterCache value.
$this->updateCounterCache();
}
}
}
?>

You could further tweak this callback to enhance performance, only updating the counterCache when logic dictates it necessary.

CakePHP Vimeo Helper

Jonny — Mon, 26 May 2008 09:37:01 +0000

I’ve just posted a new Helper over at the bakery to assist with embedding Vidoes from Vimeo.com on your CakePHP site. The helper grants you access to all configuration flags for the player. Grab it here, happy baking!

As a side note, whilst fiddling around with this helper I found it interesting to note that Vimeo directly link to the .swf file in their embed code rather than using a Wrapper Script to log incoming embed locations – I presume they are trawling their Apache logs instead – still seems a bit backwards…

VimeoHelper source code after the leap

class VimeoHelper extends AppHelper
{
/**
* Creates Vimeo Embed Code from a given Vimeo Video.
*
* @param String $vimeo_id URL or ID of Video on Vimeo.com
* @param Array $usr_options VimeoHelper Options Array (see below)
* @return String HTML output.
*/
function getEmbedCode($vimeo_id, $usr_options = array())
{
// Default options.
$options = array
(
‘width’ => 400,
‘height’ => 225,
’show_title’ => 1,
’show_byline’ => 1,
’show_portrait’ => 0,
‘color’ => ‘00adef’,
);
$options = array_merge($options, $usr_options);

// Extract Vimeo.id from URL.
if (substr($vimeo_id, 0, 21) == ‘http://www.vimeo.com/’) {
$vimeo_id = substr($vimeo_id, 21);
}

$output = array();
$output[] = sprintf(‘’, $options[‘width’], $options[‘height’]);
$output[] = ‘ ’;
$output[] = ‘ ’;
$output[] = sprintf(‘ ’, $vimeo_id, $options[’show_title’], $options[’show_byline’], $options[’show_portrait’], $options[‘color’]);
$output[] = sprintf(‘ ’, $vimeo_id, $options[’show_title’], $options[’show_byline’], $options[’show_portrait’], $options[‘color’], $options[‘width’], $options[‘height’]);
$output[] = ‘’;

return $this->output(implode($output, "\n"));
}
}
?>

User Registration with CakePHP 1.2 and Auth Component

Jonny — Sat, 24 May 2008 10:54:46 +0000

With CakePHP 1.2 nearly reaching the RC release, I have started using it as the framework for my own applications. Once of the new features of 1.2 over 1.1 is the addition of numerous core Components for handling things such as Cookies, Email and Authentication (all of which I rolled myself in 1.1). Today’s article is going to focus on the Auth Component and a couple of problems it threw up whilst I was trying to create a simple registration page.

Before starting with the code listings for a simple registation action, a little bit of background as to why I’m writing this post. CakePHP 1.2’s Auth Component will automatically hash the value of $this->data['User']['password'] – this is helpful in many ways and allows for a lot of Cake’s auto-magic, however it can cause problems. For example, as the passowrd is automatically being hashed into a 40 character value before any other logic is applied, any validation rules in the Model will be ignored (including NOT_EMPTY like checks). Take this as a hypothetical situation:

User goes to /users/register to create a new account
User enters their username and password correctly, they then enter an invalid email address
Controller fails to validate() the invalid email address supplied so takes the user back to the registration page – Cake helpfully re-populates the form with the values in $this->data array
This unfortunatley means the user’s password has been turned into a 40 Character SHA-1 Hash! If the user fails to notice this fact, fixes their email address and clicks submit then that 40 Character SHA-1 Hash is going to get hashed again – now the user has no idea what their password is set to – whoops!

Getting around this problem is pretty straight forward, it just requires a little bit of thought – change the fieldname from password (Which CakePHP 1.2’s Auth Component will automatically hash) to something else, ie: passwrd. Now Cake won’t hash this value, your model’s validation checks can run and everyone is happy – just don’t forget to use AuthComponent::password() to hash this value before storing it.

User Model Class

array
(
‘alphanumeric’ => array
(
‘rule’ => ‘alphaNumeric’,
‘message’ => ‘Only the letters A-z and digits 0-9 are allowed’,
),
‘length’ => array
(
‘rule’ => array(‘between’, 4, 20),
‘message’ => "Your username must be between 4 and 20 characters long",
),
),
‘passwrd’ => array
(
‘rule’ => array(‘minLength’, 6),
‘message’ => ‘Your password must be at least 6 characters long’,

),
‘email’ => ‘email’,
);
}
?>

User Controller Class

Auth->allow(‘register’);
}

/**
* Allows a user to sign up for a new account
*/
function register()
{
// If the user submitted the form…
if (!empty($this->data))
{
// Turn the supplied password into the correct Hash.
// and move into the ‘password’ field so it will get saved.
$this->data[‘User’][‘password’] = $this->Auth->password($this->data[‘User’][‘passwrd’]);

// Always Sanitize any data from users!
$this->User->data = Sanitize::clean($this->data);
if ($this->User->save())
{
// Use a private method to send a confirmation
// email to the new user (code not shown)
$this->__sendConfirmationEmail();

// Success! Redirect to a thanks page.
$this->redirect(‘/users/thanks’);
}

// The plain text password supplied has been hashed into the ‘password’ field so
// should now be nulled so it doesn’t get render in the HTML if the save() fails
$this->data[‘User’][‘passwrd’] = null;
}
}
}

User/Register.ctp View

Create an Account

create(‘User’, array(‘action’ => ‘register’));
echo $form->input(‘username’, array(‘between’ => ‘Pick a username’));

// Force the FormHelper to render a password field, and change the label.
echo $form->input(‘passwrd’, array(‘type’ => ‘password’, ‘label’ => ‘Password’));
echo $form->input(‘email’, array(‘between’ => ‘We need to send you a confirmation email to check you are human’));
echo $form->submit(‘Create Account’);
echo $form->end();
?>