Controller Scripts

The controller is where you instantiate and configure Zend_View. You then assign variables to the view, and tell the view to render output using a particular script.

Assigning Variables

Your controller script should assign necessary variables to the view before it hands over control to the view script. Normally, you can do assignments one at a time by assigning to property names of the view instance:

  1. $view = new Zend_View();
  2. $view->a = "Hay";
  3. $view->b = "Bee";
  4. $view->c = "Sea";

However, this can be tedious when you have already collected the values to be assigned into an array or object.

The assign() method lets you assign from an array or object "in bulk". The following examples have the same effect as the above one-by-one property assignments.

  1. $view = new Zend_View();
  2.  
  3. // assign an array of key-value pairs, where the
  4. // key is the variable name, and the value is
  5. // the assigned value.
  6. $array = array(
  7.     'a' => "Hay",
  8.     'b' => "Bee",
  9.     'c' => "Sea",
  10. );
  11. $view->assign($array);
  12.  
  13. // do the same with an object's public properties;
  14. // note how we cast it to an array when assigning.
  15. $obj = new StdClass;
  16. $obj->a = "Hay";
  17. $obj->b = "Bee";
  18. $obj->c = "Sea";
  19. $view->assign((array) $obj);

Alternatively, you can use the assign method to assign one-by-one by passing a string variable name, and then the variable value.

  1. $view = new Zend_View();
  2. $view->assign('a', "Hay");
  3. $view->assign('b', "Bee");
  4. $view->assign('c', "Sea");

Rendering a View Script

Once you have assigned all needed variables, the controller should tell Zend_View to render a particular view script. Do so by calling the render() method. Note that the method will return the rendered view, not print it, so you need to print or echo it yourself at the appropriate time.

  1. $view = new Zend_View();
  2. $view->a = "Hay";
  3. $view->b = "Bee";
  4. $view->c = "Sea";
  5. echo $view->render('someView.php');

View Script Paths

By default, Zend_View expects your view scripts to be relative to your calling script. For example, if your controller script is at "/path/to/app/controllers" and it calls $view->render('someView.php'), Zend_View will look for "/path/to/app/controllers/someView.php".

Obviously, your view scripts are probably located elsewhere. To tell Zend_View where it should look for view scripts, use the setScriptPath() method.

  1. $view = new Zend_View();
  2. $view->setScriptPath('/path/to/app/views');

Now when you call $view->render('someView.php'), it will look for "/path/to/app/views/someView.php".

In fact, you can "stack" paths using the addScriptPath() method. As you add paths to the stack, Zend_View will look at the most-recently-added path for the requested view script. This allows you override default views with custom views so that you may create custom "themes" or "skins" for some views, while leaving others alone.

  1. $view = new Zend_View();
  2. $view->addScriptPath('/path/to/app/views');
  3. $view->addScriptPath('/path/to/custom/');
  4.  
  5. // now when you call $view->render('booklist.php'), Zend_View will
  6. // look first for "/path/to/custom/booklist.php", then for
  7. // "/path/to/app/views/booklist.php", and finally in the current
  8. // directory for "booklist.php".

Note: Never use user input to set script paths
Zend_View uses script paths to lookup and render view scripts. As such, these directories should be known before-hand, and under your control. Never set view script paths based on user input, as you can potentially open yourself up to Local File Inclusion vulnerability if the specified path includes parent directory traversals. For example, the following input could trigger the issue:

  1. // $_GET['foo'] == '../../../etc'
  2. $view->addScriptPath($_GET['foo']);
  3. $view->render('passwd');
While this example is contrived, it does clearly show the potential issue. If you must rely on user input to set your script path, properly filter the input and check to ensure it exists under paths controlled by your application.
blog comments powered by Disqus