• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Prohibit access to get_instance() from a view

#11
(11-21-2017, 10:20 AM)Narf Wrote:
(11-21-2017, 09:36 AM)rolf Wrote:
(11-21-2017, 03:00 AM)Narf Wrote: Not possible.

I agree. Even when creating an extension for get_instance(), it's still not possible to determine whether a call was being made from the view or from the controller.

It is possible to detect where the call originated from. You can't make an extension of get_instance().

So, how would you do this?
Reply

#12
Narf will know better and correct me if I am wrong. But get_instance() returns the controller's instance which, in the context of a "view" is also known as $this. That's a bit hard to turn off. I imagine the abstraction provided by twig or other template system might obscure that fact. Still, a savvy developer will likely know it, or figure it out if the decide "I really need that".
Reply

#13
I tried to find a solution to see where the call made to get_instance() originated from, but there doesn't seem to be any difference between a call made from the view or from the controller belonging to that view, as least not in the available set of variables/settings that's available in get_instance().
Reply

#14
There are things to be considered: get_instace() might be used within (custom or not) helper functions that are to be used within a view. Also, some people use HMVC.

If somehow you trace the stack, then you will need to find the actual file, then check whether it is under a folder named 'views', or a subfolder of 'views' and then block get_instance() on such a condition. Such a detection (if possible) would be tricky, unreliable and slow.

Better stick to Twig since you adopted it and know how to use it. It has enabled by default html escaping, this is even more important than the problem you have pointed.

In production systems enable the caching feature of Twig (cached files contain PHP code, actually). I observed that caching reduced memory consumption a lot. See the attached picture.


Attached Files Thumbnail(s)
   
Reply

#15
(11-21-2017, 11:51 AM)rolf Wrote:
(11-21-2017, 10:20 AM)Narf Wrote:
(11-21-2017, 09:36 AM)rolf Wrote:
(11-21-2017, 03:00 AM)Narf Wrote: Not possible.

I agree. Even when creating an extension for get_instance(), it's still not possible to determine whether a call was being made from the view or from the controller.

It is possible to detect where the call originated from. You can't make an extension of get_instance().

So, how would you do this?

Do what? As I already said, it's impossible to forbid get_instance() calls, in any context.
Reply

#16
(11-21-2017, 01:12 PM)ivantcholakov Wrote: There are things to be considered: get_instace() might be used within (custom or not) helper functions that are to be used within a view. Also, some people use HMVC.

If somehow you trace the stack, then you will need to find the actual file, then check whether it is under a folder named 'views', or a subfolder of 'views' and then block get_instance() on such a condition. Such a detection (if possible) would be tricky, unreliable and slow.

Better stick to Twig since you adopted it and know how to use it. It has enabled by default html escaping, this is even more important than the problem you have pointed.

In production systems enable the caching feature of Twig (cached files contain PHP code, actually). I observed that caching reduced memory consumption a lot. See the attached picture.

 Hi ivantcholakov, thanks for taking the time to reply Smile
Reply

#17
(11-22-2017, 04:31 AM)Narf Wrote:
(11-21-2017, 11:51 AM)rolf Wrote:
(11-21-2017, 10:20 AM)Narf Wrote:
(11-21-2017, 09:36 AM)rolf Wrote:
(11-21-2017, 03:00 AM)Narf Wrote: Not possible.

I agree. Even when creating an extension for get_instance(), it's still not possible to determine whether a call was being made from the view or from the controller.

It is possible to detect where the call originated from. You can't make an extension of get_instance().

So, how would you do this?

Do what? As I already said, it's impossible to forbid get_instance() calls, in any context.

You said two things, of which only would be possible according to you. So of course I'm referring to what you said "It is possible to detect where the call originated from." Because I don't see how to easily make a distinction in between calls originating from the view and from the controller.

However, I've decided to continue with Twig, as this seems to work fine for me. The only disadvantage is the need to update over 200 different pages.
Reply

#18
(11-22-2017, 05:40 AM)rolf Wrote:
(11-22-2017, 04:31 AM)Narf Wrote:
(11-21-2017, 11:51 AM)rolf Wrote:
(11-21-2017, 10:20 AM)Narf Wrote: It is possible to detect where the call originated from. You can't make an extension of get_instance().

So, how would you do this?

Do what? As I already said, it's impossible to forbid get_instance() calls, in any context.

You said two things, of which only would be possible according to you. So of course I'm referring to what you said "It is possible to detect where the call originated from." Because I don't see how to easily make a distinction in between calls originating from the view and from the controller.

However, I've decided to continue with Twig, as this seems to work fine for me. The only disadvantage is the need to update over 200 different pages.

Sorry, I'm way too used to people ignoring my previous comments.

https://secure.php.net/debug_backtrace
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.