[Far]

When Immerse appeared there was a problem with charsets difference in different languages. I got problem with backups of the DB, when non-utf characters were lost in the process. The same problem still here. PDO shall set utf-8 as default.

Please add to class/class.db.php file after the line 38($this->db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);) a new command :

$this->db->exec("set names utf8");

It will help people using non-latin languages have correct utf-8 characters in the DB. So there will be no problem with backuping and restoring of the DB.

[Alex]

Done!

Just pushed it to the Mercurial repo at BitBucket.

I tested it, it seems to work fine (although existing Cyrillic characters were corrupted, new characters are stored correctly).

[Far]

I got one question about database. The DB class is very easy and powerfull. But before i did not use PDO at all. Shall we escape entries in sql query, before run the query. Or PDO do it automatically?

e.g. Is this sql safe?

<?php
$sql = 'SELECT * FROM %tp%action WHERE controller = '.CONTROLLER;
$rs = $db->query($sql)->fetchAll();

In the cms there is no routing for url and also there is no escaping for the data passed through the url, so the data from url gets to the script in raw format and can contain some sql injections. But the question is not about the data it self, does the PDO escapes variables in sql?

[Alex]

PDO automatically escapes data passed to it for queries written like this:

<?php
DB::getInstance()->query("SELECT * FROM %tp%action WHERE controller = ?", CONTROLLER);
?>

If you place the variables in your query yourself (like you show above) then you have to addslashes() it first.

There is some routing, namely:

/[cms]/[controller]/[action]/[REQUEST]

[controller] decides which Controller is loaded (in action/controller.***.php)
[action] decides which method is called on the controller.
[REQUEST] is explode()'d using the / character and the results are passed to the [action] as paramters.

So...

/cms/template/edit/2

will load the TemplateController in actions/controller.template.php, and then call the edit function and pass 2 as the first argument: TemplateController->edit(2);

The arguments passed to the methods are not escaped, that should be done by the code in the function itself (or the db functions).

The only exception is when you call a URL without /cms/ in front of it. Those are all passed to the FrontController, which parses the URL and decides which page should be displayed.

[Far]

If there were any kind of controllable router(like in codeigniter) in fruml, it would be a good framework for developers, i guess.

[Alex]

Something like that should be possible, and might be a nice feature to add at some point.
First I want to concentrate on getting all the CMS bis finished first though. Maybe once that's pretty much done, we can think about Fruml as a framework as well as a cms.