Update:Archive/2.0/Developers Guide

From MozillaWiki
Jump to: navigation, search
Ambox outdated.png THIS PAGE MAY BE OUTDATED
This article is in parts, or in its entirety, outdated. Hence, the information presented on this page may be incorrect, and should be treated with due caution until this flag has been lifted. Help by editing the article, or discuss its contents on the talk page.

Website Developer's Guide

We grab the update and plugin files as well as the database every 4 hours from the production servers. In addition, we also update the /data/update-dev and /data/update-staging via cvs every 4 hours as well.

If you like to and have the skills, you can help UMO by writing patches for the bugs that are in the system. For all known bugs in UMO, please go to the Bug List. To get access to the UMO code, read the Anonymous CVS Access intructions below.

In order to get your patch to be applied in the CVS, request review from someone who knows what they're doing (morgamic, clouswerw, etc.) and join the IRC channel #amo on irc.mozilla.org.

Anonymous CVS Access

http://www.mozilla.org/cvs.html NOTE: Do this from your home directory:

setenv CVSROOT :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot  
cvs login
(password is "anonymous")

NOTE: If the directory public_html doesn't exist create it or if you have Apache pointing to another directory replace public_html with that path.

cvs co -rMOZILLA_UPDATE_1_0_BRANCH -d public_html . mozilla/webtools/update

Sandbox Environment

Each developer can use a sandbox environment on chameleon.mozilla.org hosted in their public_html directory. If you would like access to this environment talk with morgamic in #addons on irc.mozilla.org. This will allow you to do testing of patches and do custom development in your own sandbox and not affect the production development or staging environments.

The latest dump of the UMO database is in /data/db on chameleon. To use it just grab it and put it in your home directory and run:

  • cp mozilla-update.sql .
  • mysql -u username -p --database username < mozilla-update.sql
I always get permisison errors for the LOCK and UNLOCK statements, so a search and replace before running the script gets me past that. -alanjstr
Works fine for me... --Colin 02:49, 13 Jun 2005 (PDT)

You can edit your database via phpmyadmin if you go to https://update-staging.mozilla.org/db/ using your sandbox username/password. You will be asked to enter your password twice as the first one is an htaccess password to protect the phpmyadmin tool behind it.

All error messages will be displayed by default. Unless you are trying to eliminate all notices, you may want to change this to E_WARNING in order to actually get by. You can change that via .htaccess or ini_set. To do this, you can set the following in your config.php:

ini_set('error_reporting', E_WARNING); 
ini_set('display_errors', true);

Installation Guide

To install v2.0, read the complete step-by-step installation guide.

v2.0 Overview


The $db object is a global PEAR object used for all queries to/from the database. It is actually an object that is instantiated as AMO_SQL, which extends SQL, which extends PEAR::DB.

All DB calls are wrapped using the exact SQL library found in the Smarty sample application. See the Smarty sample app for examples.


The $tpl object extends Smarty, and is instantiated as AMO_Smarty. It follows Smarty protocol. For questions about Smarty, consult the Smarty manual.

Putting it together

An example document would look something like this:

 * FAQ page.
 * @package amo
 * @subpackage docs
 * @todo FAQ search?
        `active` = 'YES'
        `index` ASC,
        `title` ASC

$faq = $db->record;

$links = array(
    array(  'href'  => './faq.php',
            'title' => 'Frequently Asked Questions',
            'text'  => 'FAQ'),

    array(  'href'  => './policy.php',
            'title' => 'Addons Policies',
            'text'  => 'Policy')

// Send FAQ data to Smarty object.
   array(   'faq'       => $faq,
            'links'     => $links,
            'sidebar'   => 'inc/nav.tpl',
            'content'   => 'faq.tpl',
            'title'     => 'Frequently Asked Questions')

// No need to set wrapper, since the left-nav wrapper is default.
// $wrapper = 'inc/wrappers/default.tpl';

Here we see standard usage of $db to query data, then the $tpl->assign() function assigns local variables to the Smarty template. Here are some pointers:

  • The smarty template to be used for the page content is always defined by 'content'.
  • 'title' is the page title as in <title>some title</title>.
  • The global Smarty wrapper is defined at runtime, and stored in $wrapper. If $wrapper is not defined, the default wrapper is called, which exists at 'tpl/inc/wrappers/default.tpl'.
  • Examine index.php and faq.php for examples that will show you the difference between default and non-default wrappers.
  • Your tpl document will live in /tpl (from the app root). for instance, faq.tpl lives in /tpl/faq.tpl.

faq.tpl looks like this:

<h1>Frequently Asked Questions</h1>
{section name=faq loop=$faq}

Input Filtering

If you are working on a page that concerns input from GET, POST, SESSION or REQUEST, please understand the proper format for filtering and storing foreign data.

Trust nothing, and be exhaustive!

Please review the following seminars on PHP security before you even attempt to filter remote input:

These are good examples, but don't follow them verbatim. Follow the syntax used in example scripts. See search.php for a good example.

Input Filtering No-No's

Do not use REQUEST 
By nature, REQUEST is a violation of HTTP protocol. You should reference GET or POST or COOKIE or SESSION explicitly, but never assume that you are pulling from 'any of those' at once. This opens the door for abuse and manipulation of variables because it makes it unclear where you are getting your variables from.
Do not assign reference GET, POST, REQUEST or COOKIE directly 
Before using any data from any untrusted arrays, you should first test for types and validity then assign those values to proper locations in trusted arrays. Do not ever, ever use any of these request arrays in any script logic or SQL. You will be punished.

General Input Filtering Guidelines

  • Filter all input properly.
  • After filtering, store things in arrays that make sense:
    • $sql - array of SQL-safe variables.
    • $clean - array of raw but trusted variables.
  • Do not escape these for HTML output; that is handled by Smarty's |escape function, and does not need to happen in your PHP scripts.