saniko

Larry, I've spent the last two weeks in Yii 2. I think it is an incredible upgrade over Yii 1. Every single change feels like a real improvement. I am really impressed! What surprises me is how easy it was for me to build incredible functionality based on what I learned from the Yii Book even without any updated information from you. You really did set a solid platform to work with! The Yii 2 Online Guide is also a huge improvement in terms of documentation. Thank you for making Yii so accessible. It is such an incredible framework! Take care, -saniko

I'm ecstatic that you've reconsidered doing this chapter!

Larry, Based on the latest newsletter, is there really not going to be a unit testing chapter for Yii 1? You mention that many people (including me) will be using Yii 1 for the near future. I'd be very disappointed if the Yii Book didn't cover any of the Unit Testing options in Yii 1. Can you at least provide a good list of references?

Hi! You'll need to provide a lot more information before you can get any real help. For example: Server Details - What OS is it running? - What PHP version does it have? - What MySQL version is it running? Localhost Details - same questions Browser (both on your computer and mobile device) - What type and version? My guess is that your localhost and deployment server have differences. This wouldn't be a Yii issue, it would be a configuration issue for your server.

Larry, As I mentioned before, I love your book. However, in Chapter 19, there seems to be a gap when it comes to implementing controller extensions. You've gone into some detail about how to create a controller extension by extending CExtController, but you did not mention how to actually implement one. You said it is just like any other extension, but it seems quite different. Here are the details that I know about: 1. Add a 'controllerMap' array into the return array in protected/main.php 2. Add configuration details for the extension: 'controllerMap'=>array( 'controllername'=>array( 'class'=>'ext.controllerextension.controllerextensionclassname', 'publicproperty'=>'value', ), 3. Extension can be accessed at controllername/controlleraction Can you add something like that to the next update? Take care, -saniko

Larry, I can't wait for you to put the Yii Book up on Amazon so I can give it a 5 star review. Sure, the Yii Book is taking a lot longer than I anticipated. However, I have never read a book that has so thoroughly blown away my expectations. This is not a just a book on a single PHP framework; it is a bible on how to design the best web applications on the Internet. Your book has taught me more about object-oriented PHP, MVC, caching, URL routing, exception handling, web services, access control, secure web design, and profiling than any book I've ever read. Even when the world moves on from Yii, I will never forget how your book tied together so many disparate pieces into one coherent masterpiece. You're a genius. I can't wait for your chapter on Unit Testing. Keep up the wonderful work and add a donation page on the yii.larryullman.com site. Take care, -saniko

After a lot of testing, I realized that I had a few more things wrong. Here is a summary of what to consider: The only way to save things to the auto-login cookie is by using setState in the UserIdentity authenticate method - using $this->setState('value', $valuetosave); The auto-login cookie saves the state of the user being authenticated. It DOES not require that they go in to any other controller/action but remembers that they have logged in. This means that the system remembers nothing but the information you saved in the cookie and the fact that you have logged in So this leaves you with a problem. You don't want to save sensitive information in the cookie, but you do want to ensure that there is information about an authenticated user at all times. Here was my solution. I saved one user-specific piece of information about the user into the cookie. After that, I added the following item into the base controller in protected/components/Controller.php: public function init() { if (!Yii::app()->user->isGuest && !isset($valuecriticalforuser)) { // load all needed information about user based on user-specific piece of information in autologin cookie // save that information into the user state including the $valuecriticalforuser } There you go! There are probably other ways to do this too, but I like this one.

Larry, Not really. A suggestion here might be to include a note in future editions of the book that says that anything set in the Authenticate method of the UserIdentity method gets stored in a cookie. However, if the items are saved to user state after authentication (which is the only real purpose of the autologin cookie), then they are not stored in a cookie. For example, if I save items to the user via Yii::app()->user->setState('last_login_date', $model->field); during a login method of the LoginForm class, I still maintain the convenience of the autologin cookie but also the security of not saving information like the primary key etc. into the cookie. Take care, -saniko

I've been sifting through the code and it seems very strange. It looks like when you setState during authentication with UserIdentity, it saves to a cookie. However, yii::app()-user->setState is different! Larry, I know you will be working on the documentation for this stuff. They could really use your help here! Hopefully in Yii 2 they will clarify what gets stored in a cookie and what does not. Yii:app()->user->setState does not. I think it's a good idea to use that function during login to securing store information in sessions rather than have any setState in UserIdentity. I love this framework but there are places where they use the same terms for different ideas and blow my mind in a bad, bad way. I kept autologin=true, but here is how I get user data into the session in LoginForm.php and avoid the dreaded cookie: public function login() { if($this->_identity===null) { $this->_identity=new UserIdentity($this->email_address,$this->password); $this->_identity->authenticate(); } if($this->_identity->errorCode===UserIdentity::ERROR_NONE) { $duration=$this->rememberMe ? 3600*24*7 : 0; // 7 days Yii::app()->user->login($this->_identity,$duration); $member=Member::model()->findByAttributes(array('email_address'=>strtolower($this->email_address))); Yii::app()->user->setState('last_login_date', $member->last_login_date); Yii::app()->user->setState('id',$member->id); $member->updateByPk(Yii::app()->user->id, array('last_login_date'=>new CDbExpression ('UTC_TIMESTAMP()'))); return true; } else return false; }

Larry, You mentioned that by adding the remember me/ auto login option, all user information gets saved to a cookie instead of a session. I loved reading about the security concern but wasn't sure about what to do with the risk. I was planning on using Yii::app()->session instead of Yii::app()->user->setState until I read the following thread on the Yii forum: http://www.yiiframework.com/forum/index.php/topic/11858-security-implications-with-cwebuser/page__st__20 Based on this thread, anything using setState is not stored in a cookie even if auto login is true. Can you check and confirm this? If it is true, then it would be nice for your next update. Right now, I'm sure there are readers like me who panic about storing data in the user state when they really want to use the cookie based login option. Thanks! -saniko

Larry, Love the book. As I put more of it into practical use, I would love to make suggestions on how it can be improved. The parameter binding section in the databases chapter is excellent! However, it would be nice to inform people that Yii has Active Record functions that handle parameter binding for you such as findbyattributes. I churned on this for a few hours while I was trying to use parameter binding with the findbyattributes function. Thankfully, someone in the yii chatroom informed me that I was trying to "double bind" because Yii has this issue covered in some functions through findbyattributes or findbypk. I appreciated you raising awareness of the issue but it would be nice to know how Yii has some cool ways to handle it without resorting to parameter binding in a find() or findAll() method.

I guess that's another reason for Amazon. Stripe is awesome but supports fewer countries. Amazon is everywhere and people trust it.

I love stripe. I hate PayPal. However, since everything on my site uses Amazon Web Services (EC2, SES, RDS, Cloudfront), I would love some neat tips for Amazon's FPS.

Darn! I was hoping Checkout by Amazon would make it. I'm going all Amazon and giving up PayPal for good!

Larry, I've noticed you use sort order (ASC) when building indexes for your tables. I didn't think MySQL actually used this information at all because it can only do ASC indexes. Is that correct? Love the book. Can't wait to grab your new eCommerce book soon too! Take care, -saniko