Version 2.2.0 open source edition
This version does not include the examples. It is meant to run on PHP5 only.
If you retieved this page from a http server that supports PHP, Click
here to try it out.
This version does not include pntUnit and the unit tests.
- Synchronizer Token Pattern for referrer tokens in all urls
- ActionTickets now use hashed random tokens with timeout
- Only uses parameterized queries (may be emulated)
- Parameterized query emulation for old MySql driver
- PntValidationException thrown on invalid request data that should never be produced by applications
- Scouting data and Tokens now support the usage of serveral phpPeanuts root folders (baseUrls) on the same (virtual) server
- tested with PHP 5.4.8
- many small changes, see changes.txt .
Remarks for upgrading existing applications
See the release notes of the upgrade release you can download from the phpPeanuts website.
Known bugs and limitations
- Applications are only protected against cross frame scripting in browsers that support the X-Frame-Options header.
- The Synchronizer Token Pattern by referrerer tokens is not as strong as by request tokens. (currently
most frameworks only implement this pattern for actions (called tickets with peanuts)).
- With older versions of PHP and/or MySQL the character set can not be set on the connection in such a way that the
quoting functions of MySQL take the character set into account (This is a limitation of PHP and MySql).
This may be a problem with UTF-8 and it may
have security implications, possibly including SQL injection vurnerabilities. To avoid this requires:
- MySQL >= 5.0.7 or if you're using MySQL 4, then >= 4.1.13.
- PntMySqlDao: PHP 5.0.7 or later
- PntPdoDao: PHP 5.3.6 or later
- PntMySqliDao (not included in the open source version): PHP 5.0.5 or later.
Emulated parameterized queries like used by PDO and PntMySqlDao will not protect you from this! (You may configure
PDO to use native parameterization)
- Though the framework has DAO classes that are successfully used as the database abstraction layer with MySQL
and SqLite, the use with other databases may require some additional refactoring. Please inform us about eventual
problems and solutions with the use of other databases. (Known: Oracle versions below 9 do not support standard
explicit JOIN syntax, but producing JOIN instuctions is not delegated to DAO objects and can not be easily refactored
to do so.)
- The AGPL license requires you to make the source of applications using this version
of phpPeanuts available to any users outside your own organization, and allow them forward
it to the rest of the world. An extended commercial edition is available on request under
developers licenses that do not include obligations to publish derived works etc.
For more info see the Support menu of the phpPeanuts website.