Php framework prevents injection of code attributes
Taking reading as an example, if you access $ Component-> property1, what did Yii do behind the scenes? Let's take a look at yii \ base \ Component ::__ get ()
Public function _ get ($ name)
{
$ Getter = 'get'. $ name;
If (method_exists ($ this, $ getter )){
Return $ this-> $ getter ();
} Else {
// Note that the content of this else branch is exactly the same as that of yii \ base \ Object ::__ get ().
// Differences
$ This-> ensureBehaviors ();
Foreach ($ this-> _ behaviors as $ behavior ){
If ($ behavior-> canGetProperty ($ name )){
// The attribute must be public in the row. Otherwise, you cannot access it in the following format.
Return $ behavior-> $ name;
}
}
}
If (method_exists ($ this, 'set'. $ name )){
Throw new InvalidCallException ('Getting write-only property :'.
Get_class ($ this). ':'. $ name );
} Else {
Throw new UnknownPropertyException ('Getting unknown property :'.
Get_class ($ this). ':'. $ name );
}
}
The difference between yii \ base \ Compoent ::__ get () and yii \ base \ Object ::__ get. Yii \ base \ Object directly throws an exception for processing undefined getter functions, telling you that the attribute you want to access does not exist. However, yii \ base \ Component does not have a getter. check whether it is an attribute of the injection behavior:
First, call $ this-> ensureBehaviors (). This method has been mentioned earlier, mainly to ensure that the behavior has been bound.
After the behavior is bound, traverse $ this-> _ behaviors. Yii stores all bound behaviors of the class in the yii \ base \ Compoent ::$ _ behaviors [] array.
Finally, the behavior canGetProperty () is used to determine whether the property is a readable attribute of the bound behavior. if so, the behavior's property $ behavior-> name is returned. Read the attribute. As for canGetProperty (), we have already briefly discussed it in: ref: property, and will introduce it in detail later.
For setter, the code is similar, so it will not take up space here.
Method injection
Similar to the property injection method, the _ get () _ set () magic method is used. Yii uses the _ call () magic method to inject behavior methods:
Public function _ call ($ name, $ params)
{
$ This-> ensureBehaviors ();
Foreach ($ this-> _ behaviors as $ object ){
If ($ object-> hasMethod ($ name )){
Return call_user_func_array ([$ object, $ name], $ params );
}
}
Throw new UnknownMethodException ('calling unknown method :'.
Get_class ($ this). ": $ name ()");
}
From the code above, we can see that Yii still calls $ this-> ensureBehaviors () to ensure that the behavior has been bound.
Then, the yii \ base \ Component ::$ _ behaviros [] array is traversed. Use the hasMethod () method to determine whether a method exists. If the method to be called in the bound behavior exists, call it using call_user_func_array () of PHP. As for the hasMethod () method, let's talk about it later.
Access control for injection attributes and methods
In the previous section, we gave an example of whether the public, private, and protected members can access the bound classes. Here we will analyze the cause at the code level.
In the above content, we know that a property is inaccessible, mainly depending on the behavior canGetProperty () and canSetProperty (). A method cannot be called. it mainly depends on hasMethod () of the behavior (). Because yii \ base \ Behavior inherits from our old friend yii \ base \ Object, the three judgment methods mentioned above are actually all in the Object. Let's look at it one by one:
Public function canGetProperty ($ name, $ checkVars = true)
{
Return method_exists ($ this, 'Get'. $ name) | $ checkVars &&
Property_exists ($ this, $ name );
}
Public function canSetProperty ($ name, $ checkVars = true)
{
Return method_exists ($ this, 'set'. $ name) | $ checkVars &&
Property_exists ($ this, $ name );
}
Public function hasMethod ($ name)
{
Return method_exists ($ this, $ name );
}
These three methods are not complex. In this regard, we can draw the following conclusions:
When you read (write) an attribute bound to the Component, you can access it if the behavior defines a getter (setter) for this attribute. Or, if the behavior does have the member variable, you can use the above judgment. in this case, the member variable can be public, private, or protected. However, only the public member variables can be accessed correctly. The reason has been explained in the above section about the injection principle.
When you call a method for the behavior bound to Component, if the behavior has defined this method, you can use the above judgment. In this case, this method can be public, private, or protected. However, only public methods can be called correctly. If you understand the reason for the previous paragraph, you will understand it here.
Dependency Injection Container
The Dependency Injection (DI) container is an object that knows how to initialize and configure the object and all its dependent objects. Martin's article explains why DI containers are useful. Here we will mainly explain how to use DI containers provided by Yii.
Dependency Injection
Yii provides di Container features through the yii \ DI \ Container class. It supports the following types of dependency injection:
1. constructor injection;
2. Setter and attribute injection;
3. PHP callback injection.
4. constructor injection
With the help of parameter type prompts, DI container implements constructor injection. When a container is used to create a new object, the type prompt tells it which class or interface it depends on. The container will try to obtain the instance of the class or interface on which it depends, and then inject it into the new object through the constructor. For example:
Class Foo
{
Public function _ construct (Bar $ bar)
{
}
}
$ Foo = $ container-> get ('Foo ');
// The above code is equivalent:
$ Bar = new Bar;
$ Foo = new Foo ($ bar );
Setter and property injection
Setter and property injection are supported through configuration. When registering a dependency or creating a new object, you can provide a configuration that will be provided to the container for injecting dependencies through the corresponding Setter or attribute. For example:
Use yii \ base \ Object;
Class Foo extends Object
{
Public $ bar;
Private $ _ qux;
Public function getQux ()
{
Return $ this-> _ qux;
}
Public function setQux (Qux $ qux)
{
$ This-> _ qux = $ qux;
}
}
$ Container-> get ('foo', [], [
'Bar' => $ container-> get ('bar '),
'Qux' => $ container-> get ('qux '),
]);
PHP callback injection
In this case, the container will use a registered PHP callback to create a new instance of a class. Callback resolves dependencies and appropriately injects them into newly created objects. For example:
$ Container-> set ('foo', function (){
Return new Foo (new Bar );
});
$ Foo = $ container-> get ('Foo ');
Register dependency
You can use yii \ di \ Container: set () to register dependencies. Registration uses a dependency name and a dependency definition. The dependency name can be a class name, an interface name, or an alias. The dependency definition can be a class name, a configuration array, or a PHP callback.
$ Container = new \ yii \ di \ Container;
// Register a dependency with the same name. this can be omitted.
$ Container-> set ('yii \ db \ connection ');
// Register an interface
// When a class depends on this interface, the corresponding class will be initialized as a dependent object.
$ Container-> set ('yii \ mail \ mailinterface', 'yii \ swiftmailer \ Mailer ');
// Register an alias.
// You can use $ container-> get ('Foo') to create a Connection instance
$ Container-> set ('foo', 'yii \ db \ connection ');
// Register a class through configuration
// The configuration will be used during get () initialization.
$ Container-> set ('yii \ db \ connection ',[
'Dsn '=> 'MySQL: host = 127.0.0.1; dbname = demo ',
'Username' => 'root ',
'Password' => '',
'Charset' => 'utf8 ',
]);
// Register an alias through class configuration
// In this case, you need to specify this class through a "class" element
$ Container-> set ('DB ',[
'Class' => 'yii \ db \ connection ',
'Dsn '=> 'MySQL: host = 127.0.0.1; dbname = demo ',
'Username' => 'root ',
'Password' => '',
'Charset' => 'utf8 ',
]);
// Register a PHP callback
// The callback function is executed every time you call $ container-> get ('DB.
$ Container-> set ('DB', function ($ container, $ params, $ config ){
Return new \ yii \ db \ Connection ($ config );
});
// Register a component instance
// $ Container-> get ('pagecache') returns the same instance each time it is called.
$ Container-> set ('pagecache', new FileCache );
Tip: If the dependency name and dependency definition are the same, you do not need to register the dependency through DI container.
The dependency registered through set () generates a new instance each time it is used. You can use yii \ di \ Container: setSingleton () to register the dependencies of a singleton:
$ Container-> setSingleton ('yii \ db \ connection ',[
'Dsn '=> 'MySQL: host = 127.0.0.1; dbname = demo ',
'Username' => 'root ',
'Password' => '',
'Charset' => 'utf8 ',
]);
Resolve dependencies
After registering the dependency, you can use the DI container to create a new object. The container automatically resolves the dependency and instantiates the dependency and injects it into the newly created object. The solution of dependency relationships is recursive. if there are other dependencies in a dependency relationship, these dependencies will be automatically resolved.
You can use yii \ di \ Container: get () to create a new object. This method receives a dependency name, which can be a class name, an interface name, or an alias. The dependency name may be registered through set () or setSingleton. You can provide the constructor parameter list of a class and a configuration to configure the newly created object. For example:
// "Db" is an alias previously defined
$ Db = $ container-> get ('DB ');
// Equivalent to: $ engine = new \ app \ components \ SearchEngine ($ apiKey, ['type' => 1]);
$ Engine = $ container-> get ('app \ components \ SearchEngine ', [$ apiKey], ['type' => 1]);
Behind the code, DI containers do more work than creating objects. The container first checks the class construction method, finds the dependent class or interface name, and then automatically recursively solves these dependencies.
The following code shows a more complex example. The UserLister class depends on an object that implements the UserFinderInterface interface. the UserFinder class implements this interface and relies on a Connection object. All these dependencies are defined through the type prompt of the class constructor parameter. By registering property dependencies, the DI container can automatically resolve these dependencies and create a new userLister instance by calling a simple get ('userlister') call.
Namespace app \ models;
Use yii \ base \ Object;
Use yii \ db \ Connection;
Use yii \ di \ Container;
Interface UserFinderInterface
{
Function findUser ();
}
Class UserFinder extends Object implements UserFinderInterface
{
Public $ db;
Public function _ construct (Connection $ db, $ config = [])
{
$ This-> db = $ db;
Parent: :__ construct ($ config );
}
Public function findUser ()
{
}
}
Class UserLister extends Object
{
Public $ finder;
Public function _ construct (UserFinderInterface $ finder, $ config = [])
{
$ This-> finder = $ finder;
Parent: :__ construct ($ config );
}
}
$ Container = new Container;
$ Container-> set ('yii \ db \ connection ',[
'Dsn '=> '...',
]);
$ Container-> set ('app \ models \ userfinderinterface ',[
'Class' => 'app \ models \ UserFinder ',
]);
$ Container-> set ('userlister', 'app \ models \ userlister ');
$ Lister = $ container-> get ('userlister ');
// Equivalent:
$ Db = new \ yii \ db \ Connection (['dsn '=>'... ']);
$ Finder = new UserFinder ($ db );
$ Lister = new UserLister ($ finder );
Application in practice
When the Yii. php file is introduced into the application's Portal script, Yii creates a DI container. This DI container can be accessed through Yii: $ container. When Yii: createObject () is called, this method actually calls the yii \ di \ Container: get () method of this Container to create a new object. As described above, DI containers automatically resolve dependencies (if any) and inject them into newly created objects. Because Yii uses Yii: createObject () to create new objects in most of its core code, you can use Yii: $ container to globally customize these objects.
For example, you can globally customize the default number of paging buttons in yii \ widgets \ LinkPager:
\ Yii: $ container-> set ('yii \ widgets \ LinkPager ', ['maxbuttoncount' => 5]);
In this way, if you use this pendant in a view using the following code, its maxButtonCount attribute will be initialized to 5 instead of the default value 10 defined in the class.
Echo \ yii \ widgets \ LinkPager: widget ();
However, you can still overwrite the value set through the DI container:
Echo \ yii \ widgets \ LinkPager: widget (['maxbuttoncount' => 20]);
Another example is the benefit of using the DI container to automatically construct method injection. Assume that your controller class depends on some other objects, such as a hotel booking service. You can declare the dependency through a constructor parameter, and then let the DI container help you solve the dependency automatically.
Namespace app \ controllers;
Use yii \ web \ Controller;
Use app \ components \ BookingInterface;
Class Controller extends Controller
{
Protected $ bookingService;
Public function _ construct ($ id, $ module, BookingInterface $ bookingService, $ config = [])
{
$ This-> bookingService = $ bookingService;
Parent: :__ construct ($ id, $ module, $ config );
}
}
If you access this controller from a browser, you will see an error message reminding you that the BookingInterface cannot be instantiated. This is because you need to tell the DI container how to handle this dependency.
\ Yii: $ container-> set ('app \ components \ bookinginterface', 'app \ components \ bookingservice ');
Now, if you access this Controller again, an app \ components \ BookingService instance will be created and injected into the controller constructor as the third parameter.
When to register dependency
Since dependencies need to be resolved when creating new objects, their registration should be completed as soon as possible. The following are recommended practices:
If you are an application developer, you can register dependencies in the application's entry script or the script introduced by the entry script.
If you are a scalable developer, you can register dependencies into the extended bootstrap class.
Reprinted from QANDA. REN