Development

This is where the software is developed – it’s the working environment for individual developers or small teams. The purpose of this environment is for the developer to work on local host, separate from the rest of the team, allowing them to make various changes without worrying that it may alter the work of the other members of the team.

Staging

It is used to assemble, test and review the application before it goes into production. Usually the staging environment tries to simulate as much as possible the production environment (hardware and software-wise). Normally, before releasing an update version of the application on the production environment, the update must be tested on the staging environment. This environment can also be used as a demonstration/training environment.

Production

It is the “live” environment, where the final application goes out to the world and becomes active.

To switch from one environment to another use the Subversion source code.

Using SVN on Aptana is an article that explains how to set your development environment on your local computer and then to change it on your staging environment.

To better understand the development of an application using environments, check this helpful article http://dltj.org/article/software-development-practice/

NOTE:This release marks the end of the active support for PHP 5.2. Following this release the PHP 5.2 series will receive no further active bug maintenance. Security fixes for PHP 5.2 might be published on a case by cases basis. All users of PHP 5.2 are encouraged to upgrade to PHP 5.3

PHP 5.3.3 is just released ,  so is time to upgrade every project  to PHP 5.3.x branch, and also upgrade all servers to 5.3.x

• query (mixed $sql, [mixed $bind = array()])
  • use prepare statements internally
  • but SQL Injection is still possible if $sql is dynamically created
• fetchAll (string|Zend_Db_Select $sql, [mixed $bind = array()], [mixed $fetchMode = null])
  • all the fetch methods are using prepared statements internally
  • but SQL Injection is still possible if $sql is dynamically created
• insert (mixed $table,  $bind)
  • use prepare statements internally
  • so, SQL Injection is not possible
• update (mixed $table,  $bind, [mixed $where = ''])
  • use prepare statements internally
  • but SQL Injection may be possible if $where is created dynamically
• delete (mixed $table, [mixed $where = ''])
  • SQL Injection may be possible if $where is created dynamically

Note*: even if you use prepared statements using Zend_Db methods, SQL Injection is still possible if WHERE and ORDER BY clause are wrongly written, so pay attention to them.

For more details see Stefan Esser slides.

PS. A short tip, you can use cast type to avoid SQL Injection in WHERE clause where is possible.

$sql= 'SELECT * FROM table WHERE id = ' . (int)$_POST['id'];

PDO – PHP Data Objects – is a database access layer providing a standardized method of access to multiple databases.  PDO provides a data-access abstraction layer, meaning that depending on what database you’re using, you will have apply the same functions to issue queries and fetch data. PDO does not provide a database abstraction; it doesn’t rewrite SQL or emulate missing features. Among  PDO benefits there are:
-    Access methods allow complete control over how attributes are read and written
-    Validation on a per-record and per-attribute level
-    Easier fetching of objects from related table
-    Reusable logic – means that the same codebase is much easier to maintain
-    Cleaner code by using object oriented code
-    Less errors from SQL query generation
-    Last but not least : Protection against SQL injection

In Zend Framework for database access, methods usually support prepared statements. Dynamic SQL queries are allowed, but you must escape all the parameter, otherwise you have SQL injection.  Because of this, prepared statements are encouraged to be used. They can handle escaping parameters for you.
Most people believe that using prepared statements they are 100% protected from SQL injection. But this is by far true. Input data should always be validated and sanitized, and PDO should be seen as another line of defense. PDO is not protecting you from other security vulnerabilities like XSS(cross-site scripting), but helps protect your application against SQL injection.

It may also occur a problem in Zend Framework when you have SQL injection in your application while you are using PDO_MySQL. PDO_MySQL is a more dangerous application than any other traditional MySQL applications. Traditional MySQL allows only a single SQL query. In PDO_MySQL there is no such limitation, but you risk to be injected with multiple queries. To avoid this you should try to use the correct prepared statements from Zend Framework. You should also pay attention when you have in your SQL query WHERE IN and ORDER BY; they cannot be handled by prepare statements normally. In this case you should escape your data.

Zend_Db has two escaping methods which can be used: quote() and quoteIdentifier(). Note that these two methods are handling strings by putting them between single quotes.

For more details see:

http://ezinearticles.com/?SQL-Injection-Protection-in-PHP-With-PDO&id=1815110

http://www.zend.com/webinar/Framework/70170000000bEs9-webinar-secure-application-development-with-the-ZF-20100505.flv

The very super good news is that Aptana PHP Support is back , based on an annoucement from their forum. And even more,  will be integrated in Studio 3 core, not as a separate plugin.

Aptana PHP is coming back. We are in the process of developing and integrating it into the Studio 3.
The debugger will also be introduced, but it will take a few weeks till you’ll be able to get it.

At the moment, the idea is to provide the PHP debugger as a separate set of plugins that you will be able to grab from the Studio. The majority of the PHP editing capabilities will be integrated into, and delivered with, the Studio core.

Cheers,
-Shalom G

p.s. You can follow us on twitter for any major announcements, or follow me ‘sgibly’ for more frequent progress updates.

1. Aptana -> Help -> Install New Software
2. Add http://update.aptana.com/install/php
3. Then select Aptana PHP and install it.

In case you don’t have yet a SVN plugin, go to

1. Aptana -> Help -> Install Aptana Features
2. Others -> Subclipse
3. Follow the instructions