Tài liệu WEB2PY- P1 doc

Library of Congress Cataloging-in-Publication Data: WEB2PY: Enterprise Web Framework Printed in the United States of America... I am happy to say thattoday web2py is one of the fastest w

WEB2PY

WEB2PY Enterprise Web Framework / 2nd Ed.

Massimo Di Pierro

©2009 by Massimo Di Pierro All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form

or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the web at www.copyright.com Requests to the Copyright owner for permission should

be addressed to:

Massimo Di Pierro School of Computing DePaul University

243 S Wabash Ave Chicago, IL 60604 (USA) Email: mdipierro@cs.depaul.edu

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose No warranty may be created ore extended by sales representatives or written sales materials The advice and strategies contained herein may not be suitable for your situation You should consult with a professional where appropriate Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging-in-Publication Data:

WEB2PY: Enterprise Web Framework Printed in the United States of America.

to my family

xii CONTENTS

11.8 Apache2 and mod python in a shared hosting environment 295

xiv CONTENTS

I am guilty! After publicly complaining about the existence of too manyPython based web frameworks, after praising the merits of Django, Pylons,TurboGears, CherryPy, and web.py, after having used them professionallyand taught them in University level courses, I could not resist and created onemore: web2py

Why did I commit such a crime? I did it because I felt trapped by existingchoices and tempted by the beautiful features of the Python language It allstarted with the need to convince my father to move away from Visual Basicand embrace Python as a development language for the Web At the sametime I was teaching a course on Python and Django at DePaul University.These two experiences made me realize how the beautiful features of thosesystems were hidden behind a steep learning curve At the University forexample we teach introductory programming using languages like Java andC++ but we do not get into networking issues until later courses In manyUniversities students can graduate in Computer Science without ever seeing

a Unix Bash Shell or editing an Apache configuration file And yet thesedays to be an effective web developer you must know shell scripting, Apache,SQL, HTML, CSS, JavaScript, and Ajax Knowing how to program in one

xv

Most of the development work was done in the summer of 2007 while Iwas on vacation Since web2py was released many people have contributed

by submitting patches to fix bugs and to add features web2py has evolvedsteadily since and yet it never broke backward compatibility In fact, web2pyhas a top-down design vs the bottom-up design of other frameworks It isnot built by adding layer upon layer It is built from the user perspectiveand it has been constantly optimized inside in order to become faster andleaner, while always keeping backward compatibility I am happy to say thattoday web2py is one of the fastest web frameworks and also one of thethe smallest (the core libraries including the Database Abstraction Layer, thetemplate language, and all the helpers amounts to about 300KB, the entiresource code including sample applications and images amounts to less than2.0MB)

Yes, I am guilty, but so are the growing number of users and contributors.Nevertheless, I feel, I am no more guilty than the creators of the otherframeworks I have mentioned

Finally, I would like to point out, I have already paid a price for my crime,since I have been condemned to spend my 2008 summer vacation writing thisbook and my 2009 summer vacations revising it

This second edition describes many features added after the release of thefirst edition, including CRUD, Access Control, and Services

I hope you, dear reader, understand I have done it for you: to free you fromcurrent web programming difficulties, and to allow you to express yourselfmore and better on the Web

CHAPTER 1

INTRODUCTION

of secure database-driven web applications; it is written in Python[2] andprogrammable in Python web2py is a full-stack framework, meaning that

it contains all the components you need to build fully functional web cations

engineering practices, such as using the Model View Controller (MVC) tern web2py separates the data representation (the model) from the datapresentation (the view) and also from the application logic and workflow (thecontroller) web2py provides libraries to help the developer design, imple-ment, and test each of these three parts separately, and makes them worktogether

pat-web2pyis built for security This means that it automatically addressesmany of the issues that can lead to security vulnerabilities, by following wellestablished practices For example, it validates all input (to prevent injec-tions), escapes all output (to prevent cross-site scripting), renames uploadedfiles (to prevent directory traversal attacks), and stores all session information

WEB2PY: Enterprise Web Framework / 2nd Ed By Massimo Di Pierro

Copyright © 2009

1

on the Google App Engine (GAE) [12] Once one or more database tablesare defined, web2py also generates a fully functional web-based databaseadministration interface to access the database and the tables.

web2pydiffers from other web frameworks in that it is the only framework

to fully embrace the Web 2.0 paradigm, where the web is the computer

In fact, web2py does not require installation or configuration; it runs onany architecture that can run Python (Windows, Windows CE, Mac OS X,iPhone, and Unix/Linux), and the development, deployment, and maintenancephases for the applications can be done via a local or remote web interface

implementation), versions 2.4, 2.5 and 2.6 although "officially" only support2.5 else we cannot guarantee backward compatibility for applications.web2pyprovides a ticketing system If an error occurs, a ticket is issued

to the user, and the error is logged for the administrator

As long as applications do not explicitly contain web2py source code, theyare not considered "derivative works" web2py also allows the developer tobytecode-compile applications and distribute them as closed source, althoughthey will require web2py to run The web2py license includes an exceptionthat allows web developers to ship their products with original pre-compiled

Another feature of web2py, is that we, its developers, commit to maintainbackward compatibility in future versions We have done so since the firstrelease of web2py in October, 2007 New features have been added and bugshave been fixed, but if a program worked with web2py 1.0, that programwill still work today

Here are some examples of web2py statements that illustrate its powerand simplicity The following code:

1 db.define_table('person',

2 Field('name', 'string'),

3 Field('image', 'upload'))

PRINCIPLES 3

creates a database table called "person" with two fields: "name", a string; and

"image", something that needs to be uploaded (the actual image) If the tablealready exists but does not match this definition, it is altered appropriately.Given the table defined above, the following code:

Python programming typically follows these basic principles:

• Don’t repeat yourself (DRY)

• There should be only one way of doing things

• Explicit is better than implicit

web2pyfully embraces the first two principles by forcing the developer touse sound software engineering practices that discourage repetition of code

application development (creating and processing forms, managing sessions,cookies, errors, etc.)

web2pydiffers from other frameworks with regard to the third principle,which sometimes conflicts with the other two In particular, web2py auto-matically imports its own modules and instantiates its global objects (request,response, session, cache, T) and this is done "under the hood" To some thismay appear as magic, but it should not web2py is trying to avoid the an-noying characteristic of other frameworks that force the developer to importthe same modules at the top of every model and controller

web2py, by importing its own modules, saves time and prevents mistakes,thus following the spirit of "don’t repeat yourself" and "there should be onlyone way of doing things"

If the developer wishes to use other Python modules or third-party modules,those modules must be imported explicitly, as in any other Python program

4 INTRODUCTION

At its most fundamental level, a web application consists of a set of programs(or functions) that are executed when a URL is visited The output of theprogram is returned to the visitor and rendered by the browser

The two classic approaches for developing web applications are:

• Generating HTML [13, 14] programmatically and embedding HTML

as strings into computer code

• Embedding pieces of code into HTML pages

The first model is the one followed, for example, by early CGI scripts Thesecond model is followed, for example, by PHP [15] (where the code is inPHP, a C-like language), ASP (where the code is in Visual Basic), and JSP(where the code is in Java)

Here we present an example of a PHP program that, when executed,retrieves data from a database and returns an HTML page showing the selectedrecords:

1 <html><body><h1>Records</h1><?

2 mysql_connect(localhost,username,password);

3 @mysql_select_db(database) or die( "Unable to select database");

4 $query="SELECT * FROM contacts";

of pages (files) that make up the application

The functionality of the above example can be expressed in web2py withtwo lines of Python code:

1 def index():

2 return HTML(BODY(H1('Records'), db().select(db.contacts.ALL)))

MODEL-VIEW-CONTROLLER 5

In this simple example, the HTML page structure is represented matically by theHTML,BODY, andH1objects; the databasedb 1is queried by the

program-selectcommand; finally, everything is serialized into HTML

This is just one example of the power of web2py and its built-in libraries.web2pydoes even more for the developer by automatically handling cookies,sessions, creation of database tables, database modifications, form validation,SQL injection prevention, cross-site scripting (XSS) prevention, and manyother indispensable web application tasks

Web frameworks are typically categorized as one of two types: A "glued"framework is built by assembling (gluing together) several third-party com-ponents A "full-stack" framework is built by creating components designedspecifically to work together and be tightly integrated

built from scratch and designed to work together, but they function just aswell outside of the complete web2py framework For example, the DatabaseAbstraction Layer (DAL) or the template language can be used independently

that contains system libraries Some web2py libraries, such as building andprocessing forms from database tables, have dependencies on other portions

including other template languages and DALs, but they will not be as tightlyintegrated as the original components

data presentation (the view) and the application workflow (the controller).Let’s consider again the previous example and see how to build a web2pyapplication around it

1 There is nothing special about the name db ; it is just a variable holding your database connection.

• The Models, Views and Controller components make up the user cation There can be multiple applications hosted in the same web2pyinstance.

appli-• The dashed arrows represent communication with the database engine(or engines) The database queries can be written in raw SQL (discour-aged) or by using the web2py Database Abstraction Layer (recom-mended), so that that web2py application code is not dependent onthe specific database engine

• The dispatcher maps the requested URL into a function call in thecontroller The output of the function can be a string or a dictionary

MODEL-VIEW-CONTROLLER 7

of symbols (a hash table) The data in the dictionary is rendered by aview If the visitor requests an HTML page (the default), the dictionary

is rendered into an HTML page If the visitor requests the same page

in XML, web2py tries to find a view that can render the dictionary

in XML The developer can create views to render pages in any of thealready supported protocols (HTML, XML, JSON, RSS, CSV, RTF) oradditional custom protocols

• All calls are wrapped into a transaction, and any uncaught exceptioncauses the transaction to roll back If the request succeeds, the trans-action is committed

• web2py also handles sessions and session cookies automatically, andwhen a transaction is committed, the session is also stored

• It is possible to register recurrent tasks (cron) to run at scheduled timesand/or after the completion of certain actions In this way it is possible

to run long and compute-intensive tasks in the background withoutslowing down navigation

Here is a minimal and complete MVC application consisting of three files:

• "db.py" is the model:

1 db = DAL('sqlite://storage.sqlite')

2 db.define_table('contacts',

3 Field('name'),

4 Field('phone'))

It connects to the database (in this example a SQLite database stored

in thestorage.sqlitefile) and defines a table calledcontacts If thetable does not exist, web2py creates it and, transparently and in thebackground, generates SQL code in the appropriate SQL dialect for thespecific database engine used The developer can see the generated SQLbut does not need to change the code if the database back-end, whichdefaults to SQLite, is replaced with MySQL, PostgreSQL, MSSQL,FireBird, Oracle, DB2, Informix, or Google Big Tables in the GoogleApp Engine

Once a table is defined and created, web2py also generates a fullyfunctional web-based database administration interface to access thedatabase and the tables It is calledappadmin

• "default.py" is the controller:

1 def contacts():

2 return dict(records=db().select(db.contacts.ALL))

8 INTRODUCTION

In web2py, URLs are mapped to Python modules and function calls

In this case, the controller contains a single function (or "action")calledcontacts An action may return a string (the returned website)

or a Python dictionary (a set of key:value pairs) If the function returns

a dictionary, it is passed to a view with the same name as the troller/function, which in turn renders it In this example, the function

con-contactsperforms a databaseselectand returns the resulting records

as a value associated with the dictionary keyrecords

• "default/contacts.html" is the view:

by the special{{ and }}delimiters This is quite different from thePHP code example, because the only code embedded into the HTML is

"presentation layer" code The "layout.html" file referenced at the top

of the view is provided by web2py and constitutes the basic layoutfor all web2py applications The layout file can easily be modified orreplaced

and unique features web2py was originally developed as a teaching tool,with the following primary motivations:

• Easy for users to learn server-side web development without mising on functionality For this reason web2py requires no installa-tion, no configuration, has no dependencies2, and exposes most of itsfunctionality via a web interface

compro-• web2py has been stable from day one because it follows a top-downdesign; i.e., its API was designed before it was implemented Even

2 except for the source code distribution, which requires Python 2.5 and its standard library modules

SECURITY 9

as new functionality has been added, web2py has never broken wards compatibility, and it will not break compatibility when additionalfunctionality is added in the future

back-• web2py proactively addresses the most important security issues thatplague many modern web applications, as determined by OWASP[19]below

• web2py is light Its core libraries, including the Database AbstractionLayer, the template language, and all the helpers amount to 300KB Theentire source code including sample applications and images amounts

to 2.0MB

• web2py has a small footprint and is very fast It uses the CherryPy [16]

mod proxy and four times faster than the Paste http server Our testsalso indicate that, on an average PC, it serves an average dynamicpage without database access in about 10ms The DAL has very lowoverhead, typically less than 3%

The Open Web Application Security Project[19] (OWASP) is a free andopen worldwide community focused on improving the security of applicationsoftware

OWASP has listed the top ten security issues that put web applications atrisk That list is reproduced here, along with a description of how each issue

is addressed by web2py:

• "Cross Site Scripting (XSS): XSS flaws occur whenever an applicationtakes user supplied data and sends it to a web browser without firstvalidating or encoding that content XSS allows attackers to executescripts in the victim’s browser which can hijack user sessions, defaceweb sites, possibly introduce worms, etc."

web2py, by default, escapes all variables rendered in the view, venting XSS

pre-• "Injection Flaws: Injection flaws, particularly SQL injection, are mon in web applications Injection occurs when user-supplied data is

com-3 The Web Server Gateway Interface [17, 18] (WSGI) is an emerging Python standard for communication between a web server and Python applications.