One thing you may find yourself needing to do is access configuration information in a controller or service class. The easiest way to do this is to use the ServiceManger's initialiser feature. This allows you to write one piece of injection code that can be applied to multiple objects. It's easier to show this in action!

He includes a sample configuration file (with a setting for "setting_1") and the interface you implement to structure the load request. He then shows how to hook this into the controller and the code needed for the module "getControllerConfig" (or "getServiceConfig" for use with services) to load in the file and set it to the correct object.

OK, I have a Comment model and I want to relate Comment objects to several other different model types. So, I need to be able to persist Comment objects in my database that relate to the author of the comment and one of a handful of other tables, for example, a blog post or a licence record, etc.

She includes the contents of her "schema.yml" definition and the code to create and display a basic form. Inside of her "executeCreate", the form's submission is handled and a "processForm" method is called and the overridden "updateObject " is used to inject the new data (a user ID) into the submission.

This provides MVC applications a natural location for presentation logic and lazy functionality while maintaining the segregation between the layers of responsibility within the code. It allows designers access to data and methods they need, while hiding aspects that aren't needed at view level. [...] Indeed, pretty much any modern Web framework has an understanding of the important segregation of duties inherent within MVC. It is precisely this segregation that leads to a certain greyness around the all-important View, particularly on sites where multiple content items are displayed in different ways.

The tutorial he includes shows how to set up a site with multiple articles per page that can be shown as either headlines or just title text. He talks about three ways to accomplish this - the usual injection of all data into the view and having it handle it there, injecting a model directly and extracting data from it and the ViewModel approach (a combination of the Decorator and Adapter design patterns).

I thought it might be a good idea to gather a few test cases demonstrating the problem. Why PHP allows these URL's is beyond me and it wouldn't take much work to filter out these malicious URL's in the PHP code.

He provides four test cases to show how simple it is to abuse - one using a HTTP header, another pushing XSS through, the third mentions search pages and the fourth a direct code injection.

You can download the code here.