Sitemagic CMS environment information
Environment information comes from the
SMEnvironment class. It contains data being sent from the client (browser) through GET/POST, cookie and session data, server information, information about Sitemagic CMS (meta data such as version number) and information about system folders.
Use of the SMEnvironment class is optional, although recommended. It simplifies the process of extracting environment data, as it does not emmit errors and warnings if querying information that does not exist, which PHP usually does. It also features a simple validation and security mechanism useful when extracting data for use in e.g. SQL queries or file references that are vulnerable to injection attacks.
Reading data from URL and form data (GET/POST)
// Easily get value from a form input element
$username = SMEnvironment::GetPostValue("NewUsername");
// The line above is equivalent to the following line of native PHP code:
$username = (isset($_POST["NewUsername"]) === true ? $_POST["NewUsername"] : null);
As the code above demonstrates, using the SMEnvironment class simplifies data access.
The table below shows how the different SMEnvironment functions map to native PHP arrays.
SMEnvironment::GetPostValue
$_POST
SMEnvironment::GetQueryValue
$_GET
SMEnvironment::GetEnvironmentValue
$_SERVER
SMEnvironment::GetSessionValue
$_SESSION
SMEnvironment::GetCookieValue
$_COOKIE
For cookies and sessions the SMEnvironment class also features a Set and Destroy function that may be used to create, update, and remove sessions and cookies.
// Create (or update existing) session value
SMEnvironment::SetSessionValue("ShowWebShopBasket", "AlwaysShow");
// Remove existing session value
SMEnvironment::DestroySession("ShowWebShopBasket");
Built-in validation
The five functions in the table above features a simple validation mechanism that can be used to increase security. Consider the following insecure example:
Notice: Insecure example
$publicFolder = SMEnvironment::GetFilesDirectory() . "/public";
$folder = SMEnvironment::GetPostValue("FolderPicker"); // Drop down menu
$files = SMFileSystem::GetFiles($publicFolder . "/" . $folder);
foreach ($files as $file)
$output .= createDownloadLink($folder, $file);
The example above lets the user pick a folder from a drop down menu to get access to all contained files. But in this particular example we have left a giant security hole in our extension. A person which sufficient knowledge on web development could easily change the selectable values from the drop down menu, to have the system load files from a parent (perhaps system) directory. To avoid this, all we have to do is change the second line of code to this:
$folder = SMEnvironment::GetPostValue("FolderPicker", SMValueRestriction::$SafePath);
The user will now only be able to load files and folders from the public folder (and sub folders), not from parent folders.
The
SMValueRestriction class contains a few commonly used validation rules that are useful when it comes to increasing security. For more advanced needs, please consider e.g. Regular Expressions.
Sitemagic CMS environment information
The SMEnvironment class provides access to meta data about Sitemagic CMS, as well as references to system directories.
// Get Sitemagic CMS version and website URL (defined in metadata.xml)
$info = SMEnvironment::GetMetaData();
$version = $info["Version"];
$url = $info["Website"];
// Get references to Sitemagic CMS system directories
$dataFolder = SMEnvironment::GetDataDirectory();
$extensionsFolder = SMEnvironment::GetExtensionsDirectory();
$filesFolder = SMEnvironment::GetFilesDirectory();
$templatesFolder = SMEnvironment::GetTemplatesDirectory();
// Get all sub folders from templates folder
$folders = SMFileSystem::GetFolders($templatesFolder);