Microsoft doesn’t include mod_rewrite-style functionality in IIS by default, though it has created an extension for IIS7. Since we are currently using IIS6 the extension isn’t an option for us. Fortunately there are a few other options available, including an open-source project called Ionics Isapi Rewrite Filter (IIRF). IIRF is an ISAPI filter that is very similar to mod_rewrite in terms of functionality. After some testing I’ve found this filter works almost perfectly for enabling CakePHP’s friendly URLs.

Getting Started

Installation is painless and requires only a few steps. The following is based on the IIRF 2.0.1.15 release which does not include an installer:

1. Extract the files from the IIRF archive to a folder on the server.
2. Open the properties of the IIS root “Web Sites” folder or the specific site that needs IIRF.
3. In the “ISAPI Filters” tab create a new entry for IIRF; name the new filter (e.g. “IIRF”); specify the IIRF DLL located with the extracted IIRF files at \bin\IIRF.dll.
4. Ensure that the IIS user has read/execute access to the IIRF DLL and read/write access to any directories that will be used for logging.
5. Restart IIRF.

IIRF should now be installed, but I’ve found that sometimes the filter won’t appear to be active in the “ISAPI Filters” tab until it has been used the first time. To enable IIRF all you have to do is create a file called IIRF.ini and place it in the web site root folder or in the root of a virtual directory. This file contains any local configuration directives (such as log directory) and URL rewriting rules.

The obligatory gotcha

I mentioned before that the filter works almost perfectly. The only situation where I’ve had problems up to now is if the URL contains one or more space characters. The IIRF log indicates that a URL with a space is being parsed correctly and returning a valid URL. And yet the web server reports a 404 error.

I’ve only done testing when the final URL references a physical file, but based on a conversation in the support forum I suspect this problem also affects parameters in the querystring. I haven’t yet had a chance to fully investigate the issue, so I don’t have a work-around yet when the issue affects physical files. There does, however, appear to be a work-around for spaces in the querystring.

For now I have decided to ensure that any URLs parsed by IIRF that will point to a physical file/directory does not contain spaces.

References

CakePHP usage:

• CakePHP, IIRF REQUEST_FILENAME problem
• Sample IIRF.ini for CakePHP  installation

Space-in-URL problems:

• Url rewrite and whitespaces
• Space character in URL: rewrite appears correct, 404 returned

The majority of the coding modifications have yet to be made, but the database switch has already occurred. In the process of moving from MS Access to MySQL I discovered a few settings that would be helpful should this action need to be performed for other applications. These settings should enable similar applications to be moved with minimal modification to the programming.

First, let’s review some settings related to the MySQL ODBC driver. The settings are relevant to all versions of the driver, but the name of the setting may be different on different versions (I’m using 5.1.6). Here are the options which should be selected:

• Return matched rows instead of affected rows
• Treat BIGINT columns as INT columns
• Enable safe options

The following information relates more generally to changes that may have to be made in the code:

• MySQL doesn’t really support server-side cursors so the ODBC drivers fakes it. This is, mostly, fine except that some properties of the Recordset object are not available (namely RecordCount). In order to get full cursor support you should change the location from the server to the client (adUseClient; 3).
• ASP doesn’t understand non-signed integers. This causes problems when performing operations using these values unless you manually type the value in your script, e.g. scriptvar = CInt(objrs(“dbcol”)). The other solution is to make all integers signed. Otherwise you will see the error: Variable uses an Automation type not supported in VBScript.
• Finally, check your SQL statements for any VBA function calls. These will either have to be modified into MySQL-compatible function calls or removed from the SQL code altogether.

There are a number of issues that may be encountered when attempting to convert an ASP-based application from MS Access to MySQL. The issues addressed here are only those relevant to this particular application. Other applications may require additional or different solutions and settings.

Resources:

• MS Access to MySQL migration script
• MySQL Developer Zone: MySQL CursorTypes, LockTypes, and CursorLocations
• MySQL 5.1 Reference Manual: 21.1.4. Connector/ODBC Configuration
• MySQL Forums: type confusion in asp
• MySQL Lists: Problem with RecordCount with ASP & MySQL

When our code is maintained in a subversion repository there are two options for including third-party code: externals and vendor branches.

Externals

For third-party code that will require little modification an externals property definition is preferred. Subversion externals are pointers to subversion sources outside the current path (either within the current repository or that are stored in entirely different repositories). Whenever a copy of our own project is checked out from the repository the third-party code is also checked out. One benefit of this approach is that a local copy of the third-party code does not have to be maintained. If an update to third-party code is available you only need to update the externals reference to the third-party repository.

For example, we want to add an externals definition for FCKEditor to our project. For the sake of this example we’ll use the 2.6.4-tagged version of FCKEditor and we’ll link this to the /includes/fckeditor path of our project. The steps are as follows:

1. Ensure that /includes/fckeditor does not exist;
2. From the root of the working copy of the project run the following command:

   svn propset svn:externals 'fckeditor http://svn.fckeditor.net/FCKeditor/tags/2.6.4' includes

3. Update the local working copy of the project

That’s all there is to it.

When using externals I recommend that we only point to stable (tagged) versions of third-party projects. By pointing to a stable version we can test for bugs and for compatibility between our code and the third-party code prior to implementing updates on our own systems.

Vendor Branches

Vendor branches are locally-maintained copies of third-party code. Vendor branches are treated much like any project developed in-house. Using vendor branches is less desirable mainly due to the extra work required to update the code in the repository when significant additions and deletions have been made by the third-party. However, it is advisable to use a vendor branch when third-party code will require significant modification in order to be useful in own project.

To set up a vendor branch, first create a new project in the subversion repository as described in the post Using Subversion for Application Development and Deployment. Note that it is standard to place vendor branches in a subdirectory of the “/vendor” directory of the repository. Once this is done we can tag stable versions and create branches just as we do with any other project in the repository. To add the vendor branch to another project within our repository I would recommend using an externals link much as we would for any third-party code. This should ease maintenance as the code is updated.

When third-party code is updated there are two methods you can use to update the vendor branch. The first method is best used when there are only a few files added to or removed from the third-party code. In this situation you can manually update a working copy of the trunk with the new release and commit the modifications. Any in-house changes to the code will have to be re-created (either by editing the code again or merging with an older branch).

When a significant number of file changes have been made to the third-party code it’s easiest to use svn_load_dirs.pl. This file will perform all the operations of adding, removing, and updating the files in the repository. And with the -t option you can automatically create a tagged (stable) version. For example, to update a vendor branch of the Yahoo! UI Library to version 2.6.0 you would issue the following command:

svn_load_dirs.pl -t tags/2.6.0 svn+ssh://svnrepo/vendor/yui trunk /src/yui-2_6_0

There are four parts to this command:

• -t tags/2.6.0 : creates a tagged version of the imported code
• svn+ssh://svnrepo/vendor/yui : the location of the vendor branch
• trunk : the subdirectory of the vendor branch where the updated code should be imported
• /src/yui-2_6_0 : the path to the updated YUI library code downloaded from the YUI site

Once you’ve executed this command you would continue with modification of the vendor branch just as you would if you had updated it manually.

Wrap-up

Working with both externals and vendor branches should ease the process of integrating third-party code. For more detailed information on these topics see the documentation from the SVN book.

• Version Control with Subversion: Externals Definitions
• Version Control with Subversion: Vendor Branches

From what I can tell, when CakePHP specifies the values for all columns when it creates a new record. A column with a defined default that is not specifically set by the user is manually set by CakePHP (rather than let MySQL handle defaults upon record insertion). But CakePHP doesn’t understand the CURRENT_TIMESTAMP keyword and so treats it as a string and wraps it in quotes. This breaks the resulting INSERT statement and you receive an error:

Incorrect datetime value: ‘CURRENT_TIMESTAMP’

Interestingly, columns that are named “created” and “modified” receive special handling by CakePHP. These columns are treated like auto-update columns by CakePHP and it sets them as expected. With the special handling of these columns in mind it is possible to get around the CURRENT_TIMESTAMP bug by following the recommended settings for created/modified columns, i.e. specifying the field as DATETIME with a default of NULL. CakePHP will automatically update the columns when inserting/updating records.

References:

• MySQL Reference Manual: 10.3.1.1. TIMESTAMP Properties
• CakePHP Cookbook: 3.7.2.3 created and modified

First, follow the steps of the Simple Acl controlled Application tutorial from the CakePHP cookbook up to the section on logging in.

Next, we need to insert the code that updates the ARO when a user is added or edited. Normally you would place this code in your add/edit action in the users controller, but for scaffolded actions we’ll use another callback function. Add the following code to your users controller:

function _afterScaffoldSave($action) {
  $aro =& $this->Acl->Aro;
  $user = $aro->findByForeignKeyAndModel($this->data['User']['id'], 'User');
  $group = $aro->findByForeignKeyAndModel($this->data['User']['group_id'], 'Group');
  $aro->id = $user['Aro']['id'];
  $aro->save(array('parent_id' => $group['Aro']['id']));
  return TRUE;
}

Note: for scaffold callbacks you must return TRUE; or the scaffold will not finish building the page.

The above code has been modified from the original in the tutorial, which included a conditional that checked for a change in the user’s group. As far as I can tell scaffolding causes CakePHP to return only the updated record (even when using the _beforeScaffold method) so you’re unable to compare the old and new values. As a result you have to update the ARO with every update, even if the user’s group is not updated.

Finally, for scaffolded actions we need a way to determine if the user is authorized. The AuthComponent has all the functionality we need. Add the following function to any controller using scaffolding that needs auth^2:

function _beforeScaffold($action) {
  if ($this->Auth->user() == NULL && !in_array('*', $this->Auth->allowedActions) && !in_array($action, $this->Auth->allowedActions)) {
    $this->Session->write('Auth.redirect', '/' . $this->name . '/' . $action);
    $this->Auth->loginRedirect = array('controller' => $this->name, 'action' => $action);
    $this->redirect($this->Auth->loginAction, NULL, TRUE);
    return FALSE;
  } else if (!in_array('*', $this->Auth->allowedActions) && !in_array($action, $this->Auth->allowedActions) && $this->Auth->user() !== NULL && !$this->Acl->check($this->Auth->user(),$this->Auth->action())) {
    $url = '/' . implode('/',$this->Auth->loginAction) == $this->referer() ? '/' : $this->referer();
    $this->Session->setFlash('You do not have permission to perform that action.');
    $this->redirect($url, NULL, TRUE);
  }
}

This function checks to see if the user is logged in when accessing restricted actions. If not, the user is redirected to the login page. If so, and if the user is attempting to access a page for which he has no permissions, then the user is bounced back to the referring page.

Of course, you can skip all this if you build a skeleton CRUD using cake bake and specify not to use scaffolding.

While I was at it, I decided to see how the JS+CSS was working in Safari (latest version on Windows and Mac) and Opera (latest versions on Windows). There were some minor issues with these browsers that I fixed as well. Quickly, Safari and Opera both were having trouble displaying the bullets in my ordered list when the pseudo multi-column-styling was applied. The odd thing is that the numbers were there, just not visible until an element was forced on top of them.

Finally, I decided to update the multi-column list code on the web site to that used in Benchmarks (which is more robust). I did run across one problem in the update that I may have to investigate further. Essentially, the script was not correctly positioning the second+ columns if a margin was specified on the container OL/UL.

This bug has been documented by Microsoft for Excel 2003 and earlier. The solution given by Microsoft is poorly worded, but basically it says to make sure the cells at the end of a row always contain data. Not always a realistic proposition. Luckily I found a step-by-step solution that works perfectly:

Put a formula that evaluates to empty (=”" ) in the last column of  the rows that are empty:

1. select the range in the last column: edit->goto, click on the “Special…” button, Choose “Blanks” and click OK.
2. type the formula: =”"
3. hit ctrl-enter

Now when you save the document the appropriate number of delimeters should be present, even in rows with empty cells.

Long URLs

The main problem with GET is that the total size a URL is allowed to be (and thus the amount of data passed) is fairly limited when compared to POST. The exact limit varies by browser and web server, but a practical limit is the lowest limit across platforms. In this case that is 2083 characters in Internet Explorer.

Since each report has to pass the list of included packets and items, the URL could easily surpass this limit. Recently one user generated a report that went over the IE limit. Figuring this out, though, proved to be somewhat difficult.

Held up at security

The user in question was using Firefox to access the utility. The report in question was generating and displaying just fine. However, when the user tried to download the report an error would result. It seemed odd that the browser would display the report on screen without issue then error out when attempting to download the same report.

I tried many options, but no matter what I did I was unable to download the report in Firefox. Next I tried the same report in IE and the situation started to clarify. IE would not even display the report. So now I was beginning to think that maybe the GET request was causing problems. Still it was difficult to fathom Firefox displaying the report on screen but refusing to download it.

A little web research finally clarified everything. Firefox attempts to honor the Windows Internet security zone settings for downloaded files. In order to apply the security zone settings Windows has to pass the URL to the IE engine for analysis. Firefox allows URLs of significantly larger size than IE, so the same URL that displays correctly on Firefox will thus cause IE to error out. Since Firefox attempts to honors the security settings, when IE coughs up a hairball due to the URL length the download is aborted.

Solving the problem

Initially I thought to just shorten the request by modifying the variable names on the form. This worked well enough for the problem at hand, but I could easily see having to address the problem again in the future. In the end I decided to modify the code behind the page so that the report parameters are submitted by POST instead of GET. It required more work up front, but will prevent this problem from cropping up in the future.

Plus, the utility has an option to save reports, so bookmarking/sharing is not as much of an issue.

References

• Boutell.Com: WWW FAQs: What is the maximum length of a URL?
• Firefox Facts: Security Zone Policy Errors in Firefox 3
• mozillaZine: Unable to save or download files

In my case, I was taking a form submission and redirecting it to a new page, appending the submitted data as URL parameters (e.g. of the form /controller/action/name:value). CakePHP handles ampersand in POST-submitted forms just fine, but during the redirect I noticed that the value of the parameter was cut off at the ampersand. For example, I’m creating a search form for a list of items (located at /items/index). When you submit the form with a value of “ball & chain” the controller sees it just fine. The form is submitted to the search action (/items/search) which takes the values, constructs a new URL, and redirects back to the item list (/items/index/Search.keywords:ball+%26+chain). However, the index action only sees “ball ” … the rest of the value is assumed to be additional key/value pairs in the querystring.

This problem seems like a pretty major issue to me. A bug report has already been filed, but I don’t believe it will be addressed anytime soon. And for good reason, the bug is actually in Apache’s mod_rewrite module rather than in CakePHP. When mod_rewrite processes a URL it unescapes any escaped characters (newer releases unescape to two levels). What this means for CakePHP is that any escaped characters in the URL become normal characters in the querystring (%26 becomes &).

The best overview of the problem has a good work-around, but it requires modification of the core CakePHP scripts. I’ll leave that to the experts. On our install I’ve found that a triple-escaped value will only be unescaped twice, resulting in the proper escaping after being parsed by mod_rewrite.

References

• The Apache mod_rewrite Problem
• mod_rewrite & ampersand
• Escape problem in mod_rewrite [P] action…
• Make mod_rewrite escaping optional / expose internal map
• Handle ampersands in search queries and other URLs when clean URLs are on
• Short URL/Ampersand solution

• SitePoint: Simple Clearing of Floats
• QuirksMode: Clearing Floats
• mezzoblue: Clearance

Of course, there can be advantages to the default float rendering. Most notably I found it useful for creating some nice formatting around blockquotes, such as in our textbook analysis report.