Comments on: The one-line web framework

By: janogarcia

janogarcia — Fri, 19 Dec 2008 10:27:29 +0000

Security concerns aside, this could be the "Hello world" equivalent for a Front Controller.

I think this post blog post does more good than harm, demystifying and giving a simplified (though others will refer it as oversimplified) example of a Front Controller.

Through simplification the author has been able to transmit the message in a clear and direct form, removing all the noise added by complementary, but *absolutely* required for production, code (validation, security...)

By: ErlangFTW

ErlangFTW — Fri, 19 Dec 2008 09:54:53 +0000

Thanks for the interesting post, these ‘evangelists’ should read some php security groups/mlists before shouting ‘it’s the end of the world’ and completely missing the point… geez.. btw, MVC is so 90’s

By: dagfinn

dagfinn — Fri, 19 Dec 2008 07:24:05 +0000

@calenti: I’m not sure I understand what you mean, but I would want to do as many checks as possible before calling call_user_func.

By: dagfinn

dagfinn — Fri, 19 Dec 2008 07:18:01 +0000

I find it interesting that several people believe this blog post is dangerous. I may write another one on the implications. For now, let me try to comment briefly. The critcs’ hypothetical premise appears to be that there are hordes of novice PHP programmers that are liable to copy and paste a line of code while ignoring the warning in bold on the next line. But that’s not just inexperience, that’s (probably incurable) stupidity. Besides, at that level of ignorance, they would have no clue what a Front Controller is and would have no idea what to do with it. Also, the critics are not seeing the forest for the trees. There is no way to make secure web apps without actually *understanding* security. Contributing to that understanding is what really matters, and any article that discusses security is likely to do more good than harm.

By: calenti

calenti — Thu, 18 Dec 2008 17:00:39 +0000

Couldn't you improve this by just defining the call_user_func function to perform the trimming and security/magic checks before determining where to reflect the request to?

Can't controller's constructor/initializer perform the checks before exiting, and if it finds something it doesn't like it just returns a "eat cheese, rugrat" static string?

By: Jaydee

Jaydee — Thu, 18 Dec 2008 09:31:09 +0000

Frankly, the only purpose that this post could serve is as a very very bad example. This can be harmful if picked up by the just-getting-started PHP developer, which could be a lot if this blog gets traffic from in-links.

By: dagfinn

dagfinn — Thu, 18 Dec 2008 08:34:05 +0000

You’re welcome to disagree with me. Let me just make sure I’ve made myself clear about what I’m doing. This is an example of “the simplest thing that could possibly work” (http://c2.com/xp/DoTheSimplestThingThatCouldPossiblyWork.html)
You start out with something dirt simple. Then you find out what’s lacking and add it. (Security is just the most obvious thing in this case.) If instead you start out with something that’s more complex than it needs to be, your code will stay more complex than it needs to be, unless you’re extremely good at–and committed to–removing bloat. And the wider security issue is that overly complex code gives bugs, including security bugs, a place to hide. Simplicity enables transparency.

By: Jaimz

Jaimz — Thu, 18 Dec 2008 01:11:09 +0000

I'd never do this, and in fact, I'd fire my developers if I caught them doing this. It's not the easiest way, it's not the best way, it's not even an option in real production code.

It is however the laziest way to do it.

as for writing it in one line, that's what you did. and you lived up to the subject of your post. However, I'd have to put a big yellow and black warning label on this article telling people that this is how to NOT make something like this.

As for what "another random php dev" said, i agree with 1,2,4, and 5. but point #3.. well that's dump to say that the main point of a framework is to prodive MVC. MVC is a programming pattern, not a benefit. I've made plenty of frameworks that don't even have a front controller. Another random php dev, you seem a little too narrow minded to say things like that, get some experience then come back.

By: Richard@Home

Richard@Home — Wed, 17 Dec 2008 14:16:55 +0000

… go about expanding this example to pass parameters into the the edit function?

http://www.example.com?controller=foo&action=edit&id=2

would map to

class foo { function edit($id) {} }

By: dagfinn

dagfinn — Wed, 17 Dec 2008 10:02:46 +0000

Exactly. I’m trying to explain the process rather than show the final result.