Release notes

Version 2.1.rc1 open source edition

This version does not include the examples. It is meant to run on PHP5 only. If you retieved this page from a http server that supports PHP, Click here to try it out.

This version does not include pntUnit and the unit tests.

What's new

Since 2.0.0a

• Security improvements:
  • the complete code of the abstact user interfaces has been reviewed and improved to protect against Cross Site Scripting
  • validation of all request variables including cookies and server variables,
  • some improvement of the CSRF protection,
  • explicit specification of character sets,
  • limitation of AJAX requests to the host the page originates from,
  • can be extended by application developer for the use of UTF-8 character set,
  • id's are now included in string conversion (safer for numeric ids and gives application developers control over string-ids).
  • string-conversion no longer propagates erroneous values.
• Other improvements
  • Domain Specific Language style api for Navigational Queries
  • AJAX identifiers now allow paths to parts and subparts, used by EditDetailsPage to support AJAX refresh down to individual widgets
  • More api docs in the source
  • Accomodation to Historical Data Management extionsion (extension is not included in open source version)
• many small changes, see changes.txt .

Remarks for upgrading existing applications

For 2.1.rc1:

• The abstact user interface now explicitly specifies the character set to the browser. If you use an other charecter set then you can override PntValueValidator::getInternalCharset (for the domain model), and PntStringConverter->labelCharset (if the character set in the user interface differs from the domain model, see PntStringConverter for details. Allways set the database charecter set to be equal to the domain model charactewr set.
• If you have overridden PntSite::getUiDir or PntRequestHandler::getDir you probably need to move it to override PntSite::getAppName
• The query model (classes in pnt/db/query) have been refactored and produce different queries. This may be disruptive for applications that insert manually create SQL or use the templates feature of PntSqlFilter, subclass the query classes, manually set properties that are usually set atomatically or call low level methods directly.
• You can now obtain validated server variables and cookies from reqesthandlers ->controller->serverVars or cookies.
• If you pass non-alpanumeric characters in urls unencoded the new HttpRequestValidator may throw an exception and/or leave the parameters or variables out, check your error log for details.
• Item table ids no longer include the trailing slash after the application name. Script functions in general.js have been adapted, but in case you have overridden these funtions you may have to adapt your overrides.
• PntPdoDao is now used by default. You may chancge the superclass of QueryHandler if you want to use an other type of Dao
• The AJAX framework no longer supports updating attributes
• PntObjectTablePart::printRow now uses itemHlColor instead of rowHlColor
• Initialization order of PntSite has chenged on order to support complete Http request valdation
• includes/skinFilterPart.php added
• PntObjectVerifyDeleteDialog now subclassed from ObjectVerifyDeletePage
• PntSecurityManager::checkViewProperty for performance reasons no longer retrieves and passes values of multi value properties. Checks are now done on display by PntPropertyPart::getPropertyValueFor, it only shows values that may be viewed

For 2.1.0 See the release notes of the upgrade release you can download from the phpPeanuts website. (For 2.1.rc1 an upgrade version is not made availabe.

Known bugs and limitations

1. Applications are not protected against cross frame scripting. For this reason CRSF protection needs to be extended to all request from login by per-request tokens using encription-strength random numbers. (This is only relevalnt for applications using authentication/authorization - the extension for this is not included in the open source version)
2. Includes quoted parameters in SQL (should only use parameterized queries)
3. With older versions of PHP and/or MySQL the character set can not be set on the connection in such a way that the quoting functions of MySQL take the character set into account. This may be a problem with UTF-8 and if may have security implications, possibly including SQL injection vurnerabilities. To avoid this requires:
   - MySQL >= 5.0.7 or if you're using MySQL 4, then >= 4.1.13.
   - PntMySqlDaro: PHP 5.0.7 or later
   - PntPdoDao: PHP 5.3.6 or later
   - PntMySqliDao (not included in the open source version): PHP 5.0.5 or later
4. Though the framework has DAO classes that are successfully used as the database abstraction layer with MySQL and SqLite, the use with other databases may require some additional refactoring. Please inform us about eventual problems and solutions with the use of other databases. (Known: Oracle versions below 9 do not support standard explicit JOIN syntax, but producing JOIN instuctions is not delegated to DAO objects and can not be easily refactored to do so.)
5. The AGPL license requires you to make the source of applications using this version of phpPeanuts available to any users outside your own organization, and allow them forward it to the rest of the world. An extended commercial edition is available on request under developers licenses that do not include obligations to publish derived works etc. For more info see the Support menu of the phpPeanuts website.