A Modern PHP Framework for Developers Who Love Pure PHP

PHP is the dominant server-side language of the web, powering millions of websites and applications. With a thriving community and countless frameworks, you might wonder: Do we really need another PHP framework? For a growing number of developers, the answer is clear: Yes, we do.

While PHP frameworks have brought innovation and convenience to web development, many fall short in key areas like performance, stability, and developer productivity. Furthermore, the broader web development community has increasingly encountered challenges stemming from a phenomenon known as rewrite culture.

What Is Rewrite Culture?

Rewrite culture refers to the frequent breaking, rewriting, and reversioning of frameworks and tools, often without clear benefits to the end user. This creates challenges for developers and clients alike, who may find their projects prematurely deemed "outdated" due to unnecessary versioning changes. One thing is for sure: No developer wants to tell a client, "Your site is now out of date because the framework it was built on just introduced breaking changes."

A Better Way

Trongate was built on the belief that there is a better way. By prioritising stability and continuous improvement without disruption, Trongate provides developers with a dependable foundation for building robust, future-proof applications. This commitment to stability is what sets Trongate apart.

Put simply, if there’s any PHP framework that prioritises stability more than Trongate, we haven’t found it!

In addition to prioritising stability, Trongate was also built with no third-party dependencies. To be clear, there’s nothing wrong with using third-party code; sometimes it’s positively beneficial. The key difference is that Trongate was built — from the ground up — with no third-party code at all.

This means that the framework is able to offer unparalleled levels of stability and security.

Whilst Trongate's approach to web development is a radical departed

A Fresh Approach To Web Development

Trongate isn't just another PHP framework—it's a fresh approach to web development, designed for developers who value stability, performance, and simplicity. It's lightweight, fast, and free of unnecessary dependencies, offering all the benefits of working with pure PHP while eliminating common frustrations.

The Problems Trongate Solves

1. Performance Bottlenecks
   Heavy abstractions in some frameworks can slow down your application. Trongate's lightweight core ensures blazing-fast performance, even as your project scales.
2. Unnecessary Complexity
   Overly complex frameworks can overwhelm developers. Trongate simplifies the development process with a clean, intuitive structure that allows you to focus on building applications.
3. Bloated Dependencies
   Some frameworks rely heavily on third-party libraries, which can lead to compatibility and maintenance issues. Trongate avoids this with zero third-party dependencies, providing everything you need in one package.
4. Slower Development Speeds
   Over-engineering can slow down development. Trongate is optimised for speed, helping you build and launch applications faster and more efficiently.

A Framework for the Modern Developer

Trongate is perfect for developers who want the freedom to work with pure PHP without the bloat and complexity of traditional frameworks. It's ideal for:

• Web Developers building websites of any scale.
• API Developers creating fast, reliable RESTful APIs.
• Business Owners seeking dependable, high-performance software.

More Than Just a PHP Framework

Trongate has rapidly evolved into much more than a PHP framework. With Trongate, you gain access to a complete ecosystem of tools designed to enhance your development experience. These include, but are not limited to:

• A powerful front-end JavaScript framework
• A beautifully designed and intuitive CSS library
• A free, feature-rich desktop application
• A gorgeous content management system
• And much more!

Whether you're an experienced developer or just starting out, Trongate provides the stability, simplicity, and performance you need to succeed. Welcome to the revolution. Welcome to Trongate.

The Best Way To Help

In the world of web development frameworks, success is often measured by GitHub stars. It's not a perfect system but - for better or for worse - that's the industry norm.

To help increase the momentum of Trongate and raise its profile please consider giving the Trongate PHP Framework repository a star on GitHub:

Give Trongate a Star on GitHub

Other Ways To Get Involved

Trongate is an open-source framework that thrives on community collaboration. If you discover any discrepancies, technical errors, or areas for improvement, contributions are highly encouraged. Whether it's submitting an issue, suggesting a feature, or providing a bug fix, your involvement is invaluable. Pull requests are always welcome!

Contribute to the Framework

The Trongate framework is hosted on GitHub, where all contributions are managed. If you're interested in contributing to the core framework, feel free to explore the repository and submit your changes:

Contribute to the Trongate Framework on GitHub

Contribute to the YouTube Channel

A new YouTube channel has been launched to provide tutorials, feature deep-dives, and insights into the Trongate framework. Those interested in contributing content or sharing knowledge via video are encouraged to get in touch:

Contact Form for YouTube Channel Contributions

Talk About Trongate

Regardless of what kind of presence you may have on the web, it would really help if you could spread the word about Trongate by telling people about it.

You can do this by:

• Writing articles/blog posts
• Posting video tutorials/reviews on places like YouTube
• Discussing Trongate on podcasts
• Telling your other developer friends and clients about Trongate
• Mentioning Trongate on websites like X.com

All of the above things help enormously. So, if you enjoy using Trongate, we'd be really grateful if you could help to spread the word. Every contribution is appreciated and there's no need to ask for permission!

Have You Left A GitHub Star?

Apologies for labouring the point but it's really important for Trongate to acquire GitHub stars. If Trongate doesn't get GitHub stars then it will be regarded as being a "dead framework".

So, if you have a few moments to spare, we'd be really grateful if you could give Trongate a star on GitHub.

Every time Trongate gets a star on GitHub, it's one more person saying "yes!" to stability, "yes!" to open source and "yes!" to pure PHP.

Please do give Trongate a star on GitHub - if you can. It's all we ask.

The Trongate PHP framework is available from GitHub at the following URL:

https://github.com/trongate/trongate-framework.

However, the fastest and easiest way to obtain Trongate is by using the Trongate Desktop App. This Electron-based application, built with Node.js, is completely free and always will be. It is available for Mac, Windows, and Linux and can be downloaded from:

https://trongate.io/download.

Why Use the Trongate Desktop App?

The Trongate Desktop App provides several benefits, including:

• Automatic framework downloads and setup
• Automatic updates when new features are released
• Automatic code generation
• Built-in database management
• A graphical query builder

...and much more!

Installing Without the Desktop App

For those who prefer not to use the Desktop App, Trongate can still be installed manually.

Configuring the Main Settings File

To begin, the primary configuration file, config.php, must be set up correctly. This file is located at:

The contents of config.php are as follows:

The most critical setting at this stage is the BASE_URL constant.

What is a Base URL?

The Base URL (BASE_URL) represents the root address of a website. For example, if the site is hosted at http://www.example.com/, the BASE_URL should be set as follows:

Ensuring that the base URL is correctly defined is essential for loading assets such as images and stylesheets and for proper navigation throughout the application.

After setting the BASE_URL, save the config.php file.

Setting Up the Database

Users installing Trongate manually must create and configure a database.

Step 1: The Database Configuration File

Once a database has been created (using a database management tool such as PHPMyAdmin), the database configuration file (database.php) must be updated. This file is located at:

The setup.sql file can be imported into the database management software to create the required tables. Alternatively, the SQL statements from setup.sql can be executed manually.

The content of setup.sql is as follows:

This code should be executed, either by importing setup.sql or by copying and pasting the code above from within your database management software.

Once the database setup is complete, delete the setup.sql file to enhance security.

The Trongate Desktop App can be downloaded from; https://trongate.io/download.

Please Note: The Trongate Desktop App is free of charge (it will always be free) and 100% open source.

Proceed To Download Page GitHub Repository

PHP can work with a large variety of databases. This includes 'NoSQL' databases like MongoDB and also relational databases like Postgres. However, over the years, MySQL has been - by far - the database that is most often partnered with PHP. MySQL is popular because:

• MySQL is incredibly fast
• MySQL is open source
• MySQL is relatively easy to learn
• MySQL is battle-tested (no known bugs)

The association between MySQL and PHP dates back to the mid-nineties. For better or for worse, the names 'MySQL' and 'PHP' are so strongly associated that it seems almost impossible to imagine one without having the other. However, in the strictest of terms, change has come to PHP.

Back in 2008, Sun Microsystems purchased MySQL for $500 million. Two years later, Oracle bought Sun Microsystems - and therefore acquired ownership of MySQL - as part of a 5.3 billion dollar takeover.

Oracle's takeover of Sun Microsystems came as a surprise to the tech industry and no doubt would have inspired the creation of a new open-source 'fork' of MySQL by the name of 'MariaDB'.

At the time of writing, the PHP community is somewhat split when it comes to database choice. Some popular downloadable server environments are continuing to use MySQL whilst others have dropped MySQL completely in favour of MariaDB. For example, MAMP is still using MySQL whilst XAMPP has switched to MariaDB.

Fortunately, these two different databases are virtually indistinguishable in terms of how they are used.

For simplicity and consistency, this documentation will use the word 'MySQL' to refer to a relational database that is being partnered with PHP. This word is used with the understanding that many users may not be using 'MySQL' but may instead be using MariaDB or perhaps even another database type altogether.

Regardless of whether you're using MySQL or MariaDB, rest assured your choice won't affect how you use Trongate or how you build web apps with Trongate. Even though there are a few technical differences (between MySQL and MariaDB) under the hood, you don't have to worry about them!

Trongate is a PHP framework. To write PHP code on your computer, you'll need a PHP engine and also a database such as MariaDB or MySQL. One of the easiest ways to get building with PHP is to use a local web development environment, like XAMPP.

XAMPP is a downloadable web development environment. In other words, it's an assortment of software that has been bundled together into a package that you can download and install on your computer. XAMPP includes (but is not limited to) a PHP engine by the name of Apache and a database by the name of MariaDB. There are a variety of XAMPP alternatives and also an assortment of other, more exotic ways to get PHP working on your computer. However, if you're just starting out or if you are eager to get up and running quickly and without fuss then XAMPP is hereby recommended. XAMPP is recommended because:

• It gives you the latest (major) version of PHP and MariaDB
  
• It's available for Mac, Windows and Linux
• It comes with an easy installation wizard
• It also comes with a handy database management application called 'PHPMyAdmin'
• It's 100% free

You can download a copy of XAMPP from here.

Mac Users: The makers of XAMPP have produced a "VM machine" and it has caused a little confusion for Mac developers. So, if you're a Mac user then there's a video for you that walks you through the whole XAMPP setup. The URL is: https://youtu.be/L2X6fDiqOC4?

Please go ahead and get XAMPP (or something similar) now!

The Trongate framework minimizes overheads to achieve best-in-class performance. This philosophy extends to its coding style, focusing on three primary goals:

• Maximize Developer Productivity: Achieve more with fewer lines of code.
• Embrace Pure PHP Syntax: Mirror the familiarity of native PHP conventions.
• Minimize Ambiguity: Use clear naming conventions to reduce errors.

Modern PHP for Enhanced Web Development

The Trongate framework's core resides in the 'engine' directory. All functions and methods within this directory include doc blocks, access modifiers (public/private/protected), type hinting, and return types, ensuring well-documented, modern PHP syntax.

Despite this, Trongate introduces unique syntax nuances that distinguish it from other frameworks.

Aligning PHP with C Roots

Trongate aims to provide a coding experience akin to pure PHP. Code examples in this documentation follow the K&R (Kernighan and Ritchie) coding style.

K&R is a compact, unambiguous style commonly used in C programming. It is named after Brian Kernighan and Dennis Ritchie, authors of "The C Programming Language."

Key Characteristics of K&R Style

• Indentation uses two spaces, not tabs, for consistency.
• Opening curly braces '{' appear on the same line as the function or control statement.
• Closing curly braces '}' align with the start of the controlling statement.

Example

Additional Coding Conventions

Trongate promotes the following practices:

• Use snake_case for function, file, and directory names.
• Prefer plural names for collections or groups.
• Adopt two-space indentation for clarity.

Snake Case for Clarity

Trongate's use of snake_case reduces ambiguity, unlike camelCase conventions in languages like JavaScript. For example, getElementById() versus getElementByID() can confuse developers. Snake_case eliminates such issues by using lowercase letters and underscores, e.g., get_element_by_id.

This approach simplifies development, reduces cognitive load, and prevents common errors.

Minimal Use of Namespaces and Access Modifiers

Trongate streamlines development by minimizing namespaces and access modifiers. This contrasts with traditional PHP frameworks but accelerates development processes.

While optional, many developers find this approach enhances efficiency once adopted.

Modern PHP Features

PHP 8 introduces features like type hinting, doc-blocks, return types, and constructor property promotion. These enhance code clarity and robustness but remain optional.

Trongate supports these features but generally avoids them in documentation to maintain simplicity and accessibility for new developers.

Conclusion

Trongate's syntax differs significantly from other PHP frameworks through streamlined practices, unique naming conventions, and concise coding. These deliberate choices prioritize efficiency and error reduction.

By refining coding practices, Trongate enhances developer productivity and advances PHP development through thoughtful innovation.

Trongate employs the underscore naming convention as a mechanism to control method accessibility. This convention involves prefixing method names with an underscore character to prevent them from being accessed directly via a URL. For example:

Methods prefixed with an underscore are effectively restricted from public URL invocation, while still remaining accessible within the framework's modular architecture.

How It Works

In Trongate, modules are designed to be independent yet interoperable. Developers can easily load one module from another, as demonstrated in the example below:

While methods prefixed with an underscore cannot be accessed via a URL, they remain fully accessible within the framework. This ensures that developers can invoke methods across modules without exposing sensitive functionality to external requests.

Addressing Common Misconceptions

A common misconception is that the underscore naming convention renders methods "private" or "protected." However, this is not the case. In object-oriented programming:

• Private methods can only be invoked within their containing class.
• Protected methods can be accessed by their containing class and any classes that extend it.

Since modules in Trongate are entirely independent, invoking a method from one module in another would be impossible unless the method is explicitly declared as public. The underscore naming convention does not alter a method's visibility within the codebase; rather, it restricts direct URL access to ensure security and maintainability.

Some developers mistakenly associate the underscore naming convention with outdated practices, particularly because earlier PHP frameworks (e.g., Zend Framework 1, early versions of CodeIgniter, and Yii1) used similar approaches but later replaced them with full access modifiers. However, this assumption is incorrect and reflects a misunderstanding of Trongate's unique architecture. The underscore naming convention is a deliberate and integral part of the framework's design, not a relic of outdated practices.

Without this convention, developers would need to rely on additional configuration mechanisms, such as YAML files, to explicitly specify which methods can or cannot be accessed via URLs. The underscore naming convention simplifies this process, providing a clean and efficient way to secure methods from direct URL access.

The Trongate Framework is a structured collection of directories and files designed to streamline the web development process. Below is a concise summary of each directory's purpose.

The Engine Directory

The engine directory contains the core functionality of the Trongate framework, including files responsible for loading classes, handling routes, and providing helper functions. Modifying files within this directory is strongly discouraged unless absolutely necessary and fully understood.

The Config Directory

The config directory stores essential configuration settings for your application, such as the base URL, environment settings, and default controllers. These settings are globally accessible throughout the application.

The Modules Directory

The modules directory organizes distinct components of the Trongate application, each referred to as a module. Modules encapsulate all functionality required for a specific feature, making them self-contained and reusable. Typically, a Trongate module includes the following subdirectories:

• Controllers: Handle the business logic of the module.
• Views: Manage the presentation layer and user interface elements.
• Assets: Store related files such as CSS, JavaScript, and images.

The Templates Directory

The templates directory is used for storing HTML templates. Unlike other frameworks that rely on separate templating engines, Trongate leverages PHP itself as its templating engine. This approach simplifies the learning curve and enhances performance.

The Public Directory

The public directory serves as the primary entry point for a Trongate web application, containing the index.php file. It also houses assets such as CSS, JavaScript, and images that are directly served to clients. Entire HTML themes can also be stored within the public directory.

Trongate applications exemplify a truly modular architecture, setting them apart from traditional PHP frameworks that often rely on pseudo-modularity and intricate dependencies. Unlike frameworks that depend on a 'vendor' directory managed by Composer for library loading, Trongate directly and independently loads modules. This efficient design minimizes overhead, streamlines the initialization process, and delivers significant performance improvements, as validated by independent benchmarks.

Understanding the Modules Directory

In the Trongate framework, the majority of developer-authored code resides within the "modules" directory. This directory implements Trongate's HAVC (Hierarchical Assets View Controller) architectural pattern, which enhances modularity and promotes clean, organized code.

What Is HAVC?

For developers familiar with the traditional MVC pattern, HAVC will feel intuitive. It retains core MVC components, such as controller files for application logic and views for presentation layers.

In Trongate, each module within the modules directory functions as an independent MVC cluster. These modules are self-contained but can interact with other modules and parts of the broader application. Additionally, HAVC supports the inclusion of modules within modules, offering enhanced modularity and flexibility to design scalable, maintainable applications.

The graphic below illustrates the typical structure of the modules directory. The two-way arrows indicate bidirectional communication between modules, allowing them to exchange information with both controller and view files.

HAVC vs. HMVC

Trongate's modular architecture shares conceptual similarities with HMVC by introducing hierarchy through submodules within modules. However, Trongate's structure is more flexible and less rigid than the strict hierarchical design typical of HMVC. This flexibility allows Trongate to combine structured code organization with loosely coupled systems, providing developers with adaptability and efficiency. As a result, Trongate excels in delivering robust, straightforward solutions without the complex dependencies often associated with traditional HMVC frameworks.

Trongate developers can use Packagist for sharing code, just as with other PHP frameworks. However, Trongate modules are designed to be entirely self-contained, enabling seamless distribution without reliance on external platforms. This means modules can be copied directly from one project and pasted into another, making them highly portable and easy to integrate.

If a module includes an SQL file, Trongate activates a built-in Module Import Wizard. This wizard prompts the user to import SQL code with a single click, ensuring smooth integration of modules that depend on database structures. For more details, see the Module Import Wizard chapter.

Self-Contained Modules: A Key Strength

Trongate's modular architecture emphasizes independence and portability. Each module encapsulates all necessary components, including controllers, views, assets, and optional database configurations. This design allows developers to copy and paste modules between projects without additional setup or dependencies. Whether you're reusing modules within a single application or sharing them across multiple projects, the process is straightforward and efficient.

Trongate's Code Sharing Platform

For developers seeking pre-built modules, Trongate offers "The Module Market"—a platform tailored specifically for Trongate modules. While not required for module distribution, The Module Market provides a centralized location for discovering high-quality, open-source modules that meet Trongate's standards for integration and compatibility. Each module is maintained by a single developer, ensuring accountability and consistent quality.

Comparative Overview of Code Sharing Platforms

The table below compares popular web development technologies, highlighting their approaches to managing and sharing intellectual assets such as code.

A Trongate module is typically organized into three primary directories, each serving a distinct purpose:

• Controllers: This directory contains the business logic of the module. It typically includes one or more PHP files, with at least one file defining a PHP class. While most modules contain a single PHP class file, some may require multiple files depending on complexity.
• Views: The views directory houses presentational content, primarily HTML. These PHP files are designed to integrate seamlessly with HTML, focusing on the user interface rather than business logic. This directory is optional, as not all modules produce presentational output.
• Assets: This directory stores additional resources such as CSS, JavaScript, images, and configuration files for API endpoints. Like the views directory, this is optional and only included when necessary.

Trongate’s dynamic module loading system is a standout feature of the framework, giving developers the ability to build scalable, modular applications with ease. With Trongate's module loading system, developers can use self-contained modules on demand, eliminating the need for excessive dependencies or cluttered codebases. Whether you're handling security, file uploads, or user management, modules integrate seamlessly, making it easier than ever to extend your application’s functionality. This page will walk you through how modules are dynamically loaded in Trongate.

How Dynamic Module Loading Works

In Trongate, modules are self-contained components that encapsulate specific functionality, such as security, file uploads, or user management. These modules can be loaded dynamically into your controllers, making it easy to extend the functionality of your application without modifying the core framework.

Step-by-Step Process

1. Loading a Module:

   To load a module, simply call the module() method in your controller and pass the name of the module as a parameter. For example:

   $this->module('trongate_security');

   This method delegates the loading process to the Modules class, which handles the instantiation and attachment of the module to your controller.

2. Dynamic Property Attachment:

   Once a module is loaded, it is dynamically attached to the Trongate instance as a property. For example, after calling $this->module('trongate_security');, the Trongate Security module becomes accessible via $this->trongate_security.

3. Using the Module:

   After loading the module, you can immediately use its methods. For example:

   $this->trongate_security->_make_sure_allowed();

   This seamless integration ensures that modules are ready to use as soon as they are loaded, without any additional configuration.

Under the Hood: How Dynamic Module Loading Works

To truly understand the power of Trongate’s dynamic module loading, let’s take a closer look at the underlying mechanisms:

The Role of the module() Method

The module() method in the Trongate class acts as a bridge between your controller and the Modules class. When you call $this->module('trongate_security');, the following happens:

1. The module() method creates an instance of the Modules class:
   $modules = new Modules;
2. It then calls the load() method of the Modules class, passing the name of the module to be loaded:
   $modules->load($target_module);

The Role of the Modules Class

The Modules class is responsible for dynamically loading and instantiating modules. Here’s how it works:

1. The load() method constructs the path to the module’s controller file based on the module name:
   $target_controller_path = '../modules/' . $target_module . '/controllers/' . ucfirst($target_module) . '.php';
2. If the controller file exists, it is included, and the module’s controller class is instantiated:
   $this->modules[$target_module] = new $target_module($target_module);
3. The instantiated module is stored in the $modules array within the Modules class, ensuring that it can be reused if needed. This caching mechanism prevents redundant instantiations of the same module during a single request, improving performance.

The Role of the Dynamic_properties Trait

The Dynamic_properties trait enables the Trongate class to handle properties that are not explicitly defined. Here’s how it works:

1. When a module is loaded, the Dynamic_properties trait allows the module to be dynamically attached to the Trongate instance as a property. For example:
   $this->trongate_security = new Trongate_Security('trongate_security');
2. This dynamic property attachment ensures that the module is accessible throughout the Trongate instance, allowing you to call its methods directly. For example:
   $this->trongate_security->_make_sure_allowed();

The Dynamic_properties trait is essential for enabling this flexibility, as it allows properties like $this->trongate_security to be added dynamically without requiring explicit declarations in the Trongate class.

Benefits of Trongate’s Module Loading System

Trongate’s dynamic module loading system offers several advantages that make it a powerful tool for developers:

• Modular Architecture: Trongate’s modular design promotes separation of concerns, making your codebase cleaner and easier to maintain.
• Ease of Use: With just a single line of code ($this->module('module_name');), you can load and use any module in your application.
• Flexibility and Extensibility: The ability to dynamically attach modules ensures that Trongate can adapt to the needs of your project.
• Lightweight and Efficient: Trongate’s module loading mechanism is designed to be lightweight and efficient, ensuring that your application remains performant.
• Developer-Friendly: The intuitive design of Trongate’s module loading system makes it accessible to developers of all skill levels.

In Summary

Trongate’s dynamic module loading system is a cornerstone of its architecture, providing developers with a powerful and flexible way to build modular applications. By leveraging the internal Dynamic_properties trait, Trongate ensures that modules can be seamlessly integrated into your controllers, enhancing both functionality and maintainability.

Whether you’re building a simple website or a large-scale, complex web application, Trongate’s module loading system empowers you to create clean, modular, and extensible code with minimal effort.

In web development, routing is the process of directing incoming web requests to the appropriate code that should handle those requests. Trongate's routing system manages this by mapping URLs (Uniform Resource Locators) to specific modules, controllers, and methods within your application.

Trongate uses a segment-based URL routing approach that creates clean, user-friendly URLs. This is in contrast to traditional PHP applications that often use query strings with symbols like question marks and ampersands.

Routing Example

Consider a product page on an e-commerce website. Using traditional PHP, you might see a URL like this:

With Trongate's routing system, you can create more readable and professional URLs like this:

Clean URLs like this offer several benefits:

• They're easier for users to read, understand, and remember
• They look more professional and trustworthy
• They're more friendly for search engine optimization (SEO)
• They hide implementation details of your application

Trongate provides three main ways to handle routing:

1. Homepage Routing: Special rules for handling requests to your website's homepage
2. Automatic Routing: URLs are automatically mapped to your code based on simple conventions
3. Custom Routing: Define your own URL patterns for specific needs

The following pages will explore each of these routing methods in detail, showing you how to create clean, professional URLs for your web applications.

The homepage is often the most visited page of any website. Trongate provides a simple way to control what happens when users visit your website's homepage (the root URL of your site).

Homepage Configuration

Homepage routing in Trongate is controlled through three constants in your config.php file, which is located in the 'config' directory. Here are the default settings:

These three constants work together to determine what code runs when someone visits your homepage:

• DEFAULT_MODULE: The module folder where your code is located
• DEFAULT_CONTROLLER: The controller file that contains your code
• DEFAULT_METHOD: The specific function that will run

With these default settings, visiting your homepage will:

1. Look inside the 'welcome' module folder
2. Find the 'Welcome' controller file
3. Run the 'index' method inside that controller

Customizing Your Homepage

You can change what appears on your homepage by modifying the constants within config.php. This file is located in:

Example

For example, if you want your homepage to display a dashboard, you might use:

Trongate's automatic routing system follows a simple, predictable pattern to map URLs to your code. When Trongate receives a URL request, it breaks the URL into segments and uses these segments to determine which code to run.

How URL Segments Work

Consider this example URL:

Trongate splits this URL into three segments and uses them in a specific way:

Given the URL above, Trongate will:

1. Look for a 'members' module folder
2. Find the 'Members' controller inside that folder
3. Run the 'profile' method
4. Pass '88' as a parameter to that method

Mapping URLs to Code

Here's what the corresponding code, based on our example, could look like:

Important Rules

• Module folders should be lowercase (e.g., 'members')
• Controller class names should have an uppercase first character (e.g., 'Members')
• Method names should be lowercase (e.g., 'profile')
• If no second segment exists, Trongate will look for an 'index' method

In Summary

Automatic routing makes it easy to add new functionality to your application - just create the appropriate module, controller, and methods, and Trongate will automatically make them accessible via URLs that follow this pattern.

Custom routing allows you to create clean, intuitive URLs by mapping your desired URL patterns to specific controllers and methods. This feature is particularly useful for creating SEO-friendly URLs and intuitive navigation paths.

Configuration File

In Trongate, custom routes are defined within 'custom_routing.php'. This file is located in:

From a PHP/framework perspective, custom_routing.php does the following two things:

1. Defines a PHP array named $routes.
2. Assigns the value of $routes to a PHP constant named CUSTOM_ROUTES.

Here is an example of PHP code you might typically find in custom_routing.php:

An Overview Of How Custom Routing Rules Are Defined

In Trongate, the $routes array maps incoming HTTP requests to code. Each item within the array is a key-value pair that defines a custom routing rule.

The key (i.e., the left side) for each rule is the desired URL pattern you want to match.

The value (i.e., the right side) defines what should be served when someone visits a URL that matches the left side.

Consider the following line of code from the example above:

Here, we are effectively telling Trongate:

"If someone visits shop, please behave as though they had just visited store/products."

Assume the base URL is defined like this:

In this case, a user who navigates to:

...would receive the same response from the website as if they had navigated to:

In Summary

Custom routing determines what content gets served when a user visits a given URL. It does not change the actual URL in the browser's address bar.

With Trongate, custom routing is handled via the file 'custom_routing.php'.

Custom routing rules are established by creating a $routes array, where each item is a key-value pair:

1. The keys represent desired URL paths.
2. The values represent what should be served.

Now, let's learn about custom routing patterns...

As discussed previously, custom routing is handled via the initialization of a $routes array within the file, 'custom_routing.php'.

Trongate offers two types of routing patterns that can be used to set up custom routing rules. These are:

1. Basic Routing Patterns
2. Dynamic Routing Patterns

Basic Routing Patterns

Basic routing patterns are static mappings. A basic routing pattern is designed to match an explicitly declared URL path to an explicitly defined response.

The matching process for these routes involves checking if the current URL matches one of the keys in the $routes array. If a match is found, the framework directs the request to the corresponding controller and method specified by the value of that key.

Basic Custom Routing Example

To create a basic custom routing rule, add a key-value pair to the $routes array. Here's an example:

With the code above, any request made to <base-url>login, will cause the following chain of events to occur:

• The framework will attempt to locate a module named 'users'.
• The framework will attempt to find a controller file, named 'Users.php' within the users module.
• The framework will attempt to find and load a PHP class named 'Users', within the target controller file.
• The framework will attempt to find a method named login(), within the Users class.
• The framework will attempt to invoke the target login() method.

Put simply, if somebody was to go to:

...the address bar would not change but the website would behave as though the user had navigated to:

A Word Of Caution

Basic custom routing offers an easy way to effectively declare:

"If a user arrives on 'x', behave as though they have arrived on 'y'."

But beware!

Basic custom routing only works when the current URL can be precisely matched to the defined URL pattern. It should never be used to generally swap 'x' for 'y' across a range of URLs.

Dynamic Routing Patterns

Dynamic routing patterns allow for more flexible routing by capturing variable segments in the URL. They use wildcard placeholders to match specific parts of the URL and pass those values to the controller method. This feature is essential when the URL structure involves dynamic parameters, such as IDs, names, or multi-segment paths.

Wildcard Types

Trongate provides three types of wildcards for capturing URL segments:

• (:num): Matches only numeric values. This is useful for routes where you expect a numerical identifier, such as product IDs.
• (:any): Matches any characters except the forward slash ('/'). This is useful for more general segments like categories or user names.
• (:all): Matches all remaining segments in the URL. This wildcard captures everything following it, which is helpful for paths with multiple segments (e.g., documentation paths or multi-level categories).

Here's an example of how these wildcards can be used:

Wildcard Table

Controller Mapping

The right side of each route maps to a controller and method, and the placeholders from the left side are passed to the method as parameters. Here's an example of how it works:

In the example above, (:num) captures the numeric ID passed in the URL, and (:any) captures any string-based segment. The (:all) wildcard is used for capturing everything after a particular path segment.

Route Groups

Organizing your routes into groups makes the routing system more maintainable and readable. Here's an example of how to group related routes together:

Important Considerations

Best Practices

Trongate provides a straightforward way to protect controller methods from direct URL access while keeping them available for internal use. This is crucial for maintaining application security.

Using the Underscore Prefix

To prevent direct URL access to a method, prefix it with an underscore (_):

Method Access Rules

Common Use Cases

Form Processing

API Methods

Security Implications

Best Practices

• Protect Data Processing: Use underscore prefix for methods that handle sensitive operations or data processing
• Helper Methods: Internal helper methods should always use the underscore prefix
• Form Handlers: Methods that process form submissions should be protected
• API Internals: Internal API operations should use protected methods

Method Organization

A well-organized controller might look like this:

This organization makes it clear which methods are part of your public interface and which are for internal use only.

Overview

Controllers are a fundamental component of the Trongate framework, acting as the operational core of each module within an application. They play a crucial role in managing the business logic that determines how applications respond to requests. By managing data, routing operations, and processing forms, controllers ensure operations are executed efficiently and accurately.

The Role of Controllers

In Trongate, controllers primarily handle server-side requests. They receive data from HTTP requests and process this data to make informed decisions about which views or templates to render. Controllers are also responsible for passing data into view files and templates, ensuring that each response is appropriately tailored to the user's actions and the current state of the application. Through Trongate's Model class, controllers fetch or update necessary data, facilitating robust and streamlined data management. Additionally, controllers can interact with and utilize controllers from other modules, enhancing modularity and reuse across the application. This capability allows for a flexible architecture where functionalities can be extended or modified without altering the core components of each module.

Key Responsibilities

• Processing Requests: Controllers interpret requests made to the server, whether they arrive directly through URLs or are facilitated by forms and other interfaces.
• Data Handling: Controllers manage interactions with the database through models, handling both data retrieval and updates.
• Rendering Views & Templates: Based on the processed data and the business logic, controllers determine which view file or HTML template to present, effectively dictating the output of the application.

Conclusion

Controllers do more than just receive and send data; they orchestrate the logical flow of the application, ensuring effective communication and functionality across all components. Every module within a Trongate application must contain a sub-directory named 'controllers'. These 'controllers' sub-directories must house at least one PHP file, which serves as the main controller for the module. Controller files may be considered the command centers of Trongate modules. They are pivotal in making crucial decisions and managing the module's interactions with other parts of the application.

Within the Trongate framework, controllers are PHP classes that extend the built-in Trongate class. Extending this foundational class provides controllers with immediate access to all of Trongate's core functionalities, such as form validation, database interactions, URL helpers, and more, enabling them to efficiently manage application logic and user interactions.

Naming Conventions

It is crucial to adhere to the following naming conventions when working with Trongate controllers:

1. File Naming: Controller file names should start with a capital letter, reflecting their importance and usage within the module.
2. Class Naming: Similarly, controller class names should begin with a capital letter, aligning with PHP's best practices for class definitions.
3. Module Naming: The controller class name should correspond to the name of its module, which can be in all lowercase. This consistency aids in maintaining a clear and logical structure within the project.

Example: The Dice Controller

Below is an example of a simple Trongate controller file named 'Dice.php', located within a hypothetical module named 'dice'. This example demonstrates how a controller can encapsulate specific functionalities:

Detailed Breakdown of the Dice Controller

The 'Dice' controller provides a demonstration of how controllers are structured and function within the Trongate framework. Let's examine each component of the controller:

PHP Opening Tag

This is the opening tag for any PHP script. It tells the server that the code following this tag should be interpreted as PHP code.

Class Declaration

This line declares a new class named 'Dice' which extends the 'Trongate' class. Extending a class in PHP is a fundamental aspect of object-oriented programming that allows the 'Dice' class to inherit all methods and properties of the Trongate framework's base class.

Function Declaration

The code above is the first line of a method named 'roll' within the Dice class. Methods are functions that are defined inside a class and describe the behaviors or capabilities of objects created from the class. In Trongate, as in many MVC frameworks, these methods can be linked to specific routes (URLs).

Method Functionality

Within the curly braces of the roll() method, we have this line of code:

The above line of code generates random number between 1 and 6 and assigns to the variable, $number.

Moving on, the next line of code - within the roll() method is as follows:

This line outputs the value of $number to the webpage. In the context of a controller within a framework like Trongate, this typically means sending the data back to the client's browser where it can be rendered as part of the HTML or handled via JavaScript.

Class and Method Closure

Finally, the roll() method is closed with a closing curly bracket:

This breakdown highlights how the 'Dice' controller leverages both Trongate's and PHP's built-in functionalities to perform its tasks, generating a random number between one and six.

Accessing the Controller

The roll() method can be invoked by navigating to the following URL:

This URL structure would cause the 'roll' method to be invoked, generating a random number between one and six using PHP's inbuilt rand() function. The random number that has been generated would then be displayed on the screen.

URL Mapping and Routing

The URL provided adheres to Trongate's rules for automatic URL routing. In the example above:

• The first URL segment, dice, maps to a class named 'Dice'. This class is part of a module also named 'dice'.
• The second URL segment, roll, specifies the method to be invoked. Thus, it triggers the roll() method within the loaded Dice class.

This structured URL pattern ensures that requests are routed efficiently to the appropriate controller actions, making URL management straightforward and intuitive within the Trongate framework.

Typically, the 'controllers' directory within a given module will contain one PHP file. This file generally defines a single PHP class, named after the module itself, but with the first letter capitalized in both the filename and the class name to adhere to PHP naming conventions.

This section explores scenarios where a module's 'controllers' directory contains more than one PHP class, detailing the considerations and best practices for organizing multiple classes within a single 'controllers' directory.

Step 1: Creating an Additional PHP Class

To add a second PHP class within the 'controllers' directory of a Trongate module, create a new PHP file alongside your primary controller. The file name should clearly reflect its purpose, starting with a capital letter in accordance with PHP class naming conventions.

Example: Suppose you want to add a class named 'Greeting' within the 'controllers' directory of Trongate's default 'Welcome' module. The first step is to create a file named 'Greeting.php'. This file should be placed inside the 'controllers' directory of the 'welcome' module.

For demonstration purposes, the PHP class named 'Greeting' may be defined as follows:

This class provides a simple method to return a greeting message. By placing this class in the 'controllers' directory, it is organized alongside other related controllers, ensuring that your module remains tidy and manageable.

Step 2: Loading the Additional PHP Class

Once you have created an additional PHP class within the 'controllers' directory, the next step is to ensure that this class is properly loaded and accessible where needed. In Trongate, this typically involves using require_once or a similar include statement to ensure the class is available without causing redundancy or errors.

Why Use require_once? This PHP statement is crucial in situations where the same file might be included multiple times during a request. It ensures that the file is included only once, preventing errors and behavior anomalies that occur from multiple inclusions, such as redeclaration errors.

Example of Loading an Additional Class

Consider that you have the Greeting class in a file named 'Greeting.php' within the 'welcome' module's 'controllers' directory. To use this class in your main controller or anywhere within the module, you would include it using the following PHP statement:

This example demonstrates how to load the 'Greeting' class and use it within the 'Welcome' controller. The require_once statement is placed at the top of the file, ensuring that the 'Greeting' class is available to the 'Welcome' controller methods.

Best Practices for Loading Additional Classes

• Location of Include Statements: Place all include statements at the beginning of the file. This practice makes it easier to track which dependencies are used in the file and prevents issues related to undeclared classes.
• Avoid Overloading: Only include classes that are necessary for the functionality of the current PHP file. Overloading a file with unnecessary includes can lead to performance issues and complicates debugging.
• Consider Use of Additional Modules: For larger projects, consider creating additional modules or child modules for situations where multiple PHP classes need to be called from a module.

By following these guidelines, you can efficiently manage and utilize multiple classes within your Trongate module, ensuring that each class is loaded appropriately and is ready to fulfill its role within the application.

Namespaces in PHP are essential for encapsulating identifiers like classes, functions, and constants. They prevent name collisions and organize code more efficiently, particularly in applications where the same class names might be used in different parts of the project.

Example: Applying Namespaces to Avoid Conflicts

This section expands on the 'Greeting' example from the previous page by modifying the existing class to include a namespace and introducing another 'Greeting' class under a different namespace. This demonstrates how namespaces enhance modularity and prevent conflicts.

Step 1: Modifying the Existing Greeting Class

First, update the existing 'Greeting.php' file to include a namespace. This adjustment organizes the existing class within a specific context in the application, clarifying its role and grouping.

Update the 'Greeting.php' file as follows:

This update encapsulates the 'Greeting' class within the 'FriendlyGreeting' namespace, clearly signaling its positive, welcoming intent within the application.

Step 2: Creating an Alternative Greeting Class

Next, create a new class that provides an unfriendly greeting. This class will be placed in its own file and namespace to demonstrate a different aspect of functionality.

Create a new PHP file named Unfriendly.php within the 'controllers' sub-directory of the 'welcome' module. Add the following code:

This alternative greeting class uses the UnfriendlyGreeting namespace, offering a stark contrast to the friendly version. Placing it under a different namespace ensures that both functionalities can coexist without conflict, despite sharing the same class name.

Step 3: Using the Namespaced Classes

These classes can now be utilized in other parts of the application. The following example demonstrates their usage within a single controller:

By using the use statement with aliases, both classes are accessible under the same controller without any naming conflict, demonstrating the power of namespaces in PHP.

Conclusion

Namespaces are a powerful feature in PHP, essential for maintaining a well-organized codebase and preventing conflicts between similarly named classes across different parts of an application. By using namespaces, classes are neatly packaged and do not interfere with others, even if they share the same name.

This guide outlines the process for integrating third-party PHP libraries into Trongate applications using Packagist, the primary repository for Composer packages. For demonstration purposes, the instructions below specifically focus on downloading and utilizing Guzzle, a third-party PHP library that facilitates the sending and receiving of HTTP requests and responses.

System Requirements

Ensure that the system meets the following requirements:

• PHP: PHP 8 or newer is required to use the latest version of Trongate with Packagist.
• Composer: Composer must be installed on the system for managing library dependencies. If Composer is not installed, visit getcomposer.org to download and install it.
• Internet Connection: An active internet connection is necessary to download packages from Packagist.

Step 1: Setting Up the Project with Composer

1. Initialize Composer: If a composer.json file is not already present in the project, create one by running the following command in the project directory:
   composer init
   Follow the prompts to configure the project. This setup helps manage project dependencies.
2. Install Guzzle: Add Guzzle to the project by running:
   composer require guzzlehttp/guzzle
   This command instructs Composer to find Guzzle on Packagist and install it along with any necessary dependencies.
3. Verify Installation: Ensure that the Guzzle library has been added to the project by checking that the composer.json file includes Guzzle and that the vendor directory has been created with Guzzle files in it.

Step 2: Using Guzzle in a Trongate Application

1. Autoload Dependencies: To use Guzzle, include Composer's autoloader in the PHP script. Add the following line at the top of the PHP file:
   require_once APPPATH.'vendor/autoload.php';
   This inclusion ensures that all dependencies, including Guzzle, are loaded and available for use.
2. Create an HTTP Client: Instantiate a new Guzzle client to make HTTP requests:
   $client = new GuzzleHttp\Client();
3. Make an HTTP Request: Use the client to send a request and retrieve the response:
   $response = $client->request('GET', 'https://api.example.com/data'); echo $response->getBody();

Complete Example

Below is an example of using Guzzle within a Trongate controller file to fetch data from GitHub's API:

Conclusion

Although Trongate has its own code-sharing platform, there may be instances where downloading third-party code via Packagist is desirable. Packagist offers a vast repository of PHP libraries and packages that can significantly accelerate development and bring advanced functionality to projects with minimal effort.

However, the use of Packagist is not without challenges. Relying on Packagist can lead to potential issues with stability, versioning, and dependencies. Moreover, developers considering using code from Packagist should be aware of potential security vulnerabilities associated with Packagist.

The Trongate framework enables developers to selectively use Packagist for specific modules, providing precise integration without compromising the overall performance of the application. This targeted approach ensures that enhancements can be made where necessary without affecting the efficiency of the entire system.

View files in Trongate are designated for presentation code, primarily HTML. These files may also include other types of code, such as JavaScript and CSS. Typically, each module within a Trongate application contains a directory named 'views' to store these files.

The 'views' directory, positioned at the same hierarchical level as the 'Controllers' directory within a module, is optional and depends on the module's purpose. For example, a module designed for data processing tasks, such as handling API requests or performing background data synchronization, typically does not require a 'views' directory since it operates without user interface elements.

Functionality of View Files

Within the Trongate Framework, view files are PHP files that contain primarily presentation code, most notably HTML. These files are typically invoked from controller files and are recommended to avoid complex PHP logic, adhering to the MVC best practices. This separation ensures that business logic remains within controllers, thereby keeping view files clean and focused solely on the user interface, enhancing maintainability and clarity.

View files are loaded through controller methods using Trongate's built-in view() method. For example:

This command is typically placed within a method of a controller class. When executed, it instructs Trongate to render (in this instance) the welcome.php view file located in the module's 'views' directory, thereby displaying the HTML and any associated presentation content.

This section introduces fundamental concepts of view file management, using a basic installation of Trongate as a starting point.

Upon installation, Trongate automatically loads the default 'welcome' module and its associated controller. Below is the initial structure of the 'Welcome' controller:

If the index() method is invoked, as specified by the default homepage routing configuration, it loads a template and passes a $data array containing a 'view_file' property.

Implementing a Custom Method

To illustrate basic view file usage, we add a custom method to the 'Welcome' controller. Here's a simplified implementation of the 'greeting' method:

Introduction to the "View" Method

To load view files, Trongate utilizes an internal method named view() .

In the provided example, the view() method is invoked with the argument 'greeting'. This triggers a search in the 'views' directory of the current module for a file named 'greeting.php'. If found, the content of this file is rendered and displayed in the browser.

With the addition of the greeting() method, the 'Welcome' controller will be extended as follows:

Creating a Simple View File

After defining the method to load a view file, the next step is creating a new PHP file named 'greeting.php' within the 'views' directory of the 'welcome' module. This file will contain basic HTML content for demonstration purposes. For example:

Rendering the View File

To render the view file in the browser, navigate to BASE_URL/welcome/greeting. If the greeting() method and the corresponding 'greeting.php' view file are correctly implemented, the browser will display output similar to the following:

Conclusion

This example provides a foundational overview of using view files within the Trongate framework. By adding the greeting() method to the 'Welcome' controller, we demonstrate how Trongate's view() method loads HTML content from a view file. Remember to specify the view file name without the '.php' extension to ensure proper functionality.

Passing data into view files in Trongate involves initializing an associative array within a controller and passing it to the view() method. This array contains variables that can be accessed directly within the view for dynamic content rendering.

Basic Data Passing

The technique for passing data from controller files into view files comprises of the creation of an associative array of key-value pairs. This data array is then passed as the second argument to the view() method:

This example initializes $data with user information and renders the 'welcome' view, where variables like $first_name and $last_name can be accessed directly.

Complex Data Types

You can pass various data types such as arrays, objects, and booleans into view files. For instance, consider passing an array of cities and today's date to a view:

Accessing Passed Data

Within view files, accessed data is available as standard variables. For debugging or development purposes, you can use:

To display structured data in a formatted manner, use Trongate's json() method:

Example: Rendering Dynamic Content

Enhance the greeting() method to pass a name variable into a view file:

In the 'greeting.php' view file, you can directly echo the $name variable:

Output:

To capture the rendered output of a view file as a string variable in Trongate, developers can utilize the third argument of the view() method. This approach is useful when the output needs to be manipulated or processed further before being sent to the output stream.

Example Usage

Consider a scenario where you want to capture the HTML output of a 'information.php' view file:

The code sample above demonstrates capturing the rendered output of a view file and returning the view file output as a PHP variable named, '$html'.

Step-by-Step Guide

1. Step 1: Assign the result of the view() method to a variable:
$output = $this->view("greeting", $data...
2. Step 2: Include the boolean value true as the third parameter to return the output as a string:
$output = $this->view("greeting", $data, true);
3. Step 3: Complete the method by returning the newly created variable:
return $output;

In web development, managing various types of files - such as JavaScript, CSS, and images - alongside PHP files can be challenging. Traditional PHP frameworks often adhere to the MVC design pattern, which does not provide a clear solution for handling non-PHP assets. This can lead to confusion and inefficiency when developing complex modules that require a variety of file types. The File Asset Manager in Trongate solves this issue. It does so by letting web developers store all necessary file assets - for any given module - within an assets sub-directory. This means that Trongate modules can be self-contained, highly-portable, and reusable.

Example

Consider a scenario where an invoicing system needs to be developed. In this case, a module might be created to handle the creation and management of invoices. Developing and testing such a module could take several days. Thus, having the 'invoicing' module function as a self-contained unit would be advantageous. This modular approach would allow for easy reuse of the 'invoicing' module in future projects by simply transferring the directory from one site to another. Trongate facilitates this modularity.

A potential challenge in this scenario would involve serving non-PHP files, such as specific JavaScript libraries, CSS files for styling invoices, or images. For example, the invoicing system might require a CSS file for invoice styling, a directory for storing company logos, or badges and logos for affiliated governing bodies. Traditional PHP frameworks do not provide an efficient way to manage these assets within the MVC design pattern.

Fortunately, Trongate resolves this issue. As a truly modular framework, Trongate allows modules to be entirely self-contained. This means that all necessary files for a feature, such as an invoicing system, can be included within a single module. This includes CSS, JavaScript, images, and other assets.

Truly Modular

Trongate's true modularity ensures that modules are self-contained. When building features like the aforementioned invoicing system, all required files can be housed within one module. This approach simplifies the process of managing and deploying features across different projects.

The code responsible for serving non-PHP assets within Trongate modules is known as the File Asset Manager.

This chapter provides detailed instructions on utilizing Trongate's File Asset Manager.

To clearly illustrate the purpose and functionality of the File Asset Manager, it is beneficial to examine a practical example. This section will guide through a straightforward example using the 'welcome' module that's included with all Trongate framework installations. The objective is to store a JavaScript file within the 'welcome' module and display a simple webpage that executes the module's internal JavaScript file.

The Starting Point

A fresh installation of a Trongate web application includes a module named 'welcome', which contains a controller file named Welcome.php. The 'Welcome' controller file comprises a class with a single method, as illustrated below:

Adding a New Method

Next, a new method will be added to the controller file. This method, named 'hello', will load a simple view file displaying the message 'hello world'. The updated controller code is as follows:

A Simple View File

Proceed by creating a view file containing basic HTML. The code sample below demonstrates a simple HTML template with the message 'Hello World' encapsulated within <h1> tags.

Displaying Content

To verify, open a web browser and navigate to the application homepage, followed by welcome/hello. The 'Hello World' message should be displayed on the screen.

Create an Assets Directory

Within the 'welcome' module, alongside the existing 'controllers' and 'views' directories, create a new directory named 'assets'.

Inside the 'assets' directory, create a subdirectory named 'js'. This 'js' directory will serve as the repository for JavaScript files within the module.

Create a JavaScript File

Next, create a JavaScript file named 'ahoy.js' that contains a single line of code: an alert command.

Save the 'ahoy.js' file inside the 'js' directory located within 'assets'.

Calling the JavaScript File

To include the JavaScript file in the 'hello' view file, use standard 'script' tags with the 'src' attribute set to . For example:

View File with JavaScript Integration

Below is the complete code for the 'hello' view file, incorporating the 'script' tags just before the closing body tag:

Testing the JavaScript File

Save the file and refresh the page in the browser. If a JavaScript alert box appears, it confirms that the JavaScript file has loaded successfully.

In the example from the previous page, a JavaScript file was successfully served from deep within our 'modules' directory. The target JavaScript file was loaded by setting a source ('src') value of:

welcome_module/js/ahoy.js

Under normal circumstances, such a short and concise file destination would produce file loading errors. However, the JavaScript file could be loaded without issue by invoking Trongate's Module Assets Trigger.

Understanding the Module Assets Trigger

The Module Assets Trigger serves as a specific string included in website URLs or file paths. When encountered, the File Asset Manager initiates a process to locate the requested asset within a module's assets directory. Assuming the file exists, the File Asset Manager handles the necessary file retrieval and response headers, facilitating modular development.

By default, the Trongate framework's Module Assets Trigger is defined as the string '_module'. Any path containing this trigger prompts Trongate to identify and fetch files from the respective module's assets directory.

Configuration and Usage

The Module Assets Trigger is configured within the config.php file using the following line:

This configuration instructs Trongate to detect and interpret URLs or file paths containing '_module' to fetch assets from the corresponding module's assets directory. For example, to reference a file within the 'cars' module, the path should begin with:

This indicates that the asset is located within the 'assets' subdirectory of the 'cars' module.

Customization Options

If customization of the Module Assets Trigger is necessary to suit specific preferences or naming conventions, simply modify the value assigned to MODULE_ASSETS_TRIGGER in the config.php file.

Trongate's File Asset Manager introduces important considerations regarding application architecture. For instance, imagine developing a picture uploader for a 'members' module where members can upload pictures to their profile pages.

For developers building such a feature, the decision of where to store members' pictures becomes crucial. Let's explore two common approaches:

• Storing Pictures in the Public Directory: This approach involves placing member pictures directly within the 'public' directory of the application, typically in a subdirectory like 'images' or 'member_pics'.
• Storing Pictures in the 'Assets' Directory of the 'Members' Module: Alternatively, developers may choose to store these images within the 'assets' directory of the 'members' module itself.

Here are the pros and cons of each approach:

Storing Pictures in the 'Public' Directory

Pros:

• Easily accessible and straightforward to link directly from web pages.
• Reduces the likelihood of 404 errors caused by file or path naming conflicts.
• Facilitates module reusability by maintaining a compact 'members' module size.

Cons:

• Compromises module encapsulation as assets are dispersed across separate directories.
• Imposes additional responsibility on developers to manage directory naming and access permissions.
• Elevates the risk of unintentional image pollution within the designated directory.

Storing Pictures in the 'Members' Module

Pros:

• Enhances module encapsulation by centralizing related assets within the 'members' module.
• Reduces the risk of non-related images coexisting within the image directory.
• Provides granular control over access permissions and asset visibility.

Cons:

• Requires additional configuration to serve module-specific images through web requests.
• Increases the potential for 404 errors due to conflicting file or path names within the application.
• Possibility of creating overly large modules that are challenging to reuse efficiently.

In Conclusion

Web development often involves making critical decisions about where to store assets like pictures, which are pivotal to an application's architecture and scalability. There is no one-size-fits-all solution, and these choices are integral to the iterative process of web development. Trongate provides developers with flexible tools, encouraging the creation of applications that meet specific needs without imposing rigid methodologies.

Developers are encouraged to embrace these decisions as opportunities to optimize their application's performance and maintainability. It is the responsibility of developers - and not the framework - to determine the most effective architecture structures for their specific needs.

Trongate is a robust and flexible PHP framework designed to facilitate efficient and maintainable web application development. One of its key features is the ability to load modules from other modules. This capability provides several significant benefits, enhancing both the architecture and functionality of your applications.

Benefits of Loading Modules from Other Modules

Code Reusability

Loading modules from other modules promotes code reusability. By encapsulating specific functionality within modules, developers can easily reuse that functionality across different parts of the application without duplicating code. This leads to more efficient development processes and a reduction in potential errors.

Separation of Concerns

Separation of concerns is a fundamental principle in software development. By keeping different functionalities in distinct modules, developers can ensure that each module handles a specific aspect of the application. This modular approach makes the codebase more organized, easier to understand, and simpler to maintain.

Improved Maintainability

Maintaining a large codebase can be challenging. By dividing the application into modules, each handling a specific function, changes or updates can be made more easily. If a particular functionality needs to be modified, developers can focus on the relevant module without affecting other parts of the application.

Enhanced Collaboration

In a collaborative development environment, different team members can work on different modules simultaneously. This modular structure facilitates parallel development, as changes in one module are less likely to interfere with the work being done on other modules. It also makes code reviews and testing more manageable.

Scalability

As your application grows, the ability to load modules from other modules helps in scaling the application efficiently. New functionalities can be added as separate modules without disrupting the existing architecture. This modular approach ensures that the application remains scalable and manageable over time.

Flexibility

Loading modules from other modules provides the flexibility to create complex and feature-rich applications. Developers can combine various modules to build sophisticated functionalities while keeping the codebase clean and maintainable. This flexibility allows for rapid development and easy integration of new features.

Enhanced Performance

Trongate's module loading system offers significant performance advantages over the PSR-4 autoloading standard used in many PHP frameworks. Unlike PSR-4, which involves a round trip to a 'vendor' directory and introduces additional overhead, Trongate provides a more direct loading mechanism. This streamlined approach eliminates unnecessary processing steps, resulting in faster module retrieval and notably improved application performance.

Conclusion

The ability to load modules from other modules is a powerful feature of the Trongate framework. It offers numerous benefits, including code reusability, separation of concerns, improved maintainability, enhanced collaboration, scalability, and flexibility. By leveraging this capability, developers can create robust, efficient, and maintainable web applications that are well-organized and easy to scale.

Loading Modules From Controllers

Within the Trongate framework, there are two primary methods for a module to load another module.

The first method involves loading a module from within a controller file, while the second involves loading a module from a view file. This section focuses on loading a module from a controller file.

To load a module from a controller, use the following syntax:

As illustrated, only two lines of code are required to load a method from a different module.

Below is an improved example demonstrating how to call a 'Tax' module to calculate the final price after tax has been applied. This method first loads the 'Tax' module and then invokes its method to add tax to the base price.

Here is a more complex example that involves loading and using three different modules: 'Tax', 'Shipping', and 'Discount'. This method calculates the final price by applying tax, adding shipping costs, and then applying any available discounts.

In the example above:

• The 'Tax' module's add_tax method is used to add tax to the base price.
• The 'Shipping' module's add_shipping method calculates and adds the shipping cost to the price with tax.
• The 'Discount' module's apply_discount method applies any available discounts to the price with shipping.

Loading Modules From Views

Within the Trongate framework, it is possible to load another module from within a view file. This capability provides additional flexibility and allows for dynamic content generation within views.

To load a module from a view file, use the following syntax:

Why Use This Approach?

There are various scenarios where loading a module from within a view file can be advantageous. For instance, consider the need to include a 'Stripe' payment button on a webpage. When users click the 'Buy Now' button, a pop-up might appear, prompting the user to enter payment details. The implementation of such a feature can be complex and is best handled by a dedicated 'stripe' module.

Having a separate 'stripe' module that manages everything related to Stripe payments, including rendering the pop-up payment modal, allows you to maintain clean and organized code. This module can be easily called from any view file with a single line of code, as shown below:

Passing Arguments

When calling modules from view files, arguments can be passed to the methods. This is done by separating the arguments with commas. Below is an example where a variable called $name is passed as an argument:

Within the Trongate framework, there are two primary methods for a module to load another module.

The first method involves loading a module from within a controller file, while the second involves loading a module from a view file. This section focuses on loading a module from a controller file.

To load a module from a controller, use the following syntax:

As illustrated, only two lines of code are required to load a method from a different module.

Below is an improved example demonstrating how to call a 'Tax' module to calculate the final price after tax has been applied. This method first loads the 'Tax' module and then invokes its method to add tax to the base price.

Here is a more complex example that involves loading and using three different modules: 'Tax', 'Shipping', and 'Discount'. This method calculates the final price by applying tax, adding shipping costs, and then applying any available discounts.

In the example above:

• The 'Tax' module's add_tax method is used to add tax to the base price.
• The 'Shipping' module's add_shipping method calculates and adds the shipping cost to the price with tax.
• The 'Discount' module's apply_discount method applies any available discounts to the price with shipping.

Within the Trongate framework, it is possible to load another module from within a view file. This capability provides additional flexibility and allows for dynamic content generation within views.

To load a module from a view file, use the following syntax:

Why Use This Approach?

There are various scenarios where loading a module from within a view file can be advantageous. For instance, consider the need to include a 'Stripe' payment button on a webpage. When users click the 'Buy Now' button, a pop-up might appear, prompting the user to enter payment details. The implementation of such a feature can be complex and is best handled by a dedicated 'stripe' module.

Having a separate 'stripe' module that manages everything related to Stripe payments, including rendering the pop-up payment modal, allows you to maintain clean and organized code. This module can be easily called from any view file with a single line of code, as shown below:

Passing Arguments

When calling modules from view files, arguments can be passed to the methods. This is done by separating the arguments with commas. Below is an example where a variable called $name is passed as an argument:

The Trongate framework introduces the concept of Parent and Child Modules, a powerful feature that allows for modular and hierarchical organization of application components. This architecture enables developers to create complex, nested module structures, enhancing code reusability and maintaining a clean, organized codebase.

Key Concepts

• Parent Module: A module that contains one or more child modules.
• Child Module: A module that is nested within a parent module.

This hierarchical structure allows for the creation of self-contained, feature-rich components that can be easily integrated into Trongate applications.

Trongate provides multiple ways to access and utilize child modules within your application.

URL Routing

To access a child module via URL, use the following format:

Example #1

The code sample below demonstrates how to access the 'display' method of an 'accessories' child module within a 'cars' parent module:

Creating Links

Example #2

The code sample below demonstrates how to use the Trongate anchor() function to create links to child module methods:

Loading Child Modules Programmatically

To load a child module within a controller or another module:

Example #3

This example demonstrates how to load and use a child module named 'product_reviews' within a parent module 'shop'. We'll load the child module and then call its 'get_latest_reviews' method:

In this example, the 'product_reviews' child module is loaded using:

Thereafter, the child module's methods can be accessed using syntax of the following form:

The example shown above fetches reviews, passing in the $product_id as an argument:

Trongate comes with a fully featured PHP class for assisting with database interaction. The class is named 'Model' and is stored in a file named Model.php, inside the engine directory.

The Model class contains the following methods:

For Data Retrieval:

• get()
• get_where()
• get_where_custom()
• get_one_where()
• get_many_where()
• get_where_in()
• get_max()

For Data Manipulation:

• insert()
• update()
• update_where()
• delete()
• insert_batch()

For Data Analysis and Management:

• count()
• count_where()
• count_rows()
• describe_table()
• table_exists()
• get_all_tables()
• resequence_ids()

For Custom Database Querying:

• query()
• query_bind()

The following pages will provide information on how to perform database operations using Trongate's Model class.

The Trongate Model class includes a 'Debug Mode' feature that allows developers to inspect the raw SQL queries generated by their application. By default, Debug Mode is disabled. To enable it, follow these steps:

1. Open the Model.php file located in the application's engine directory.
2. Navigate to the top of the file where a private variable named $debug can be found.
3. Change the value of $debug from false to true.

For example:

With Debug Mode enabled, PDO will display the SQL queries that will be executed by the application.

Debug Mode Screenshot

Testing Debug Mode

This section demonstrates a practical example of Debug Mode in the Trongate Model class. A test database table named students will be created, and its records will be retrieved using the Model class. The goal is to fetch some database records and then inspect the raw SQL query by having debug mode set to true.

Step 1: Create a Test Database Table

Before testing Debug Mode, a test table must be created in the database. The table, named students, will contain the following columns:

• first_name (varchar)
• last_name (varchar)
• email_address (varchar)

The following SQL statement can be used to create the table and insert sample data:

Executing this SQL statement in the database will create the table and insert five test records.

Step 2: Fetching Data from the students Table

Once the students table is set up, a method can be created in the Controller to fetch all records using the Model class.

The following method retrieves all records from the students table:

This test() method invokes get() - which is part of the Model class - to fetch all records from the students table, ordered by id. The method then invokes json() to output the fetched rows in JSON format.

Step 3: Enable Debug Mode

To inspect the raw SQL query being executed, Debug Mode must be enabled. This is done by modifying the Model.php file and setting $debug = true; as shown below:

Step 4: Running the Test with Debug Mode Enabled

Once Debug Mode is enabled, the test() method should be executed by visiting the corresponding URL in a web browser. With Debug Mode active, the raw SQL query will be displayed at the top of the page, followed by the JSON output of the retrieved records.

For example, the displayed SQL query may resemble the following:

The JSON-encoded result set will be displayed below:

The raw SQL query is now visible, providing insights into the underlying database operations.

Step 5: Additional Methods in the Model Class

Debug Mode helps verify that queries are executed as expected. In this example, the get() method from the Model class was used to fetch database records.

The Trongate Model class includes several additional methods for database interaction. These methods will be covered in the next section.

The Trongate Model class provides several methods for fetching data from your database tables. These methods are designed to retrieve records efficiently based on various criteria.

• get() : Retrieves all records from a table.
• get_where() : Retrieves records based on a specific condition.
• get_where_custom() : Retrieves records based on custom SQL conditions.
• get_one_where() : Retrieves a single record based on a specific condition.
• get_many_where() : Retrieves multiple records based on specific conditions.
• get_where_in() : Retrieves records where a column value is in a specified array.
• get_max() : Retrieves the maximum value of a column.

Video Tutorial: Basic Data Fetching

The following video demonstrates how to fetch data using Trongate's in-built data fetching methods.

The Trongate Model class provides the following methods for inserting, updating, and deleting database data:

• insert()
• update()
• update_where()
• delete()
• insert_batch()

Creating Database Records With The Insert Method

The insert() method inserts a row of data into a database table. With this method, rows of new data are represented by a PHP array. This method accepts the following parameters:

• $data (required) - an array of key-value pairs representing the table row that is to be inserted.
• $target_table (optional) - the name of the database table where the new row is to be inserted. By default, the Model will assume the target table is equal to the value in the first URL segment.

What Gets Returned?

If the method results in a new table row being inserted, the 'id' of the newly inserted record will be returned.

Example

The syntax below shows the simplest insert example possible. In this example, we create an array of data that represents a new table row. Then, we invoke the insert method to add a new row to a database table using the array we created.

The code above will produce the following SQL query:

INSERT INTO tablename (first_name, last_name, trongate_user_id) VALUES ('Eric', 'Clapton', 91)

Updating Database Records With The Update Method

The update() method updates a record in a database table. This method takes the ID of the record to update, an associative array containing column names as keys and their corresponding values, and an optional parameter specifying the name of the database table to update. It constructs and executes an SQL query to perform the update, returning true if the update was successful and false otherwise. This method accepts the following parameters:

• $update_id (required) - the ID of the record to update.
• $data (required) - an associative array containing column names as keys and their corresponding values.
• $target_table (optional) - the name of the database table to update. By default, the Model will assume the target table is equal to the value in the first URL segment.

What Gets Returned?

If the method successfully updates the record, it returns true. Otherwise, it returns false.

Example

The code sample below demonstrates how to use the update() method to update a record in the database.

Deleting Database Records With The Delete Method

The delete() method deletes a record from a database table based on its ID. This method takes the ID of the record to delete and an optional parameter specifying the name of the database table. It constructs and executes an SQL query to delete the record, returning true if the delete operation was successful and false otherwise. This method accepts the following parameters:

• $id (required) - the ID of the record to delete.
• $target_table (optional) - the name of the database table. By default, the Model will assume the target table is equal to the value in the first URL segment.

What Gets Returned?

If the method successfully deletes the record, it returns true. Otherwise, it returns false.

Example

The code sample below demonstrates how to use the delete() method to delete a record from the database.

Video Tutorial: Creating, Updating & Deleteing Records

The video below demonstrates how how to create, update and delete database records using Trongate's Model class.

The Trongate PHP framework provides essential methods within its Model class for efficient data analysis and management tasks. These methods encompass functionalities such as counting records, verifying table existence, describing database tables, and more. Below is a comprehensive list of methods available for data analysis and management:

• count()
• count_where()
• count_rows()
• describe_table()
• table_exists()
• get_all_tables()
• resequence_ids()

For detailed guidance on each method's purpose and usage instructions, simply click the 'info' icon located next to the respective method name.

Understanding The Resequence IDs Method

While most methods in Trongate's Model class operate predictably and align with standard database operations, the resequence_ids() method stands out as somewhat esoteric. Therefore, the video below has been created to assist developers in understanding the Resequence IDs Method, covering both its purpose and general usage.

Custom database queries provide developers with the flexibility to execute SQL commands tailored to specific needs beyond the basic CRUD operations. This capability is essential for scenarios where predefined methods may not suffice, such as complex data retrievals, advanced analytics, or specialized data manipulations.

Executing Custom SQL Queries with The Query Method

The query() method allows developers to execute custom SQL queries directly. This method is versatile, accepting any valid SQL statement as its input. It returns the query results based on the specified return type, either as an array or an object.

Executing Custom SQL Queries with Query Binding

The query_bind() method enhances security by utilizing parameter binding in SQL queries. Instead of directly embedding values into the SQL statement, it binds parameters separately, mitigating the risk of SQL injection attacks.

This method is particularly advisable when handling user input or dynamic data, where parameterized queries provide robust protection against malicious SQL injections.

Effective database management in modern web development often requires performing advanced table joins. These operations are essential for combining data from multiple database tables efficiently.

The Trongate Graphical Query Builder provides a powerful solution for simplifying the creation of complex table joins. This tool is an integral part of the Trongate framework ecosystem, offering robust functionality designed to streamline database querying processes.

The video below demonstrates how to create advanced database table joins using The Trongate Graphical Query Builder.

The video tutorial below shows you everything you need to know about parent modules and child modules.

Trongate uses pure PHP for rendering web pages, providing a straightforward and flexible approach to templating. This section explains the role of templates, how they differ from views, and how they operate within the Trongate framework.

What Are Templates?

In Trongate, a template is a PHP file that defines the complete structure of an HTML web page. Templates ensure consistency across an application by incorporating common elements—such as headers, footers, and navigation menus—into every page.

Templates vs. Views

It is essential to understand the distinction between templates and views:

• Templates: Define the full structure of a web page, including the <!DOCTYPE>, <html>, <head>, and <body> tags. They often include reusable components like headers, footers, and sidebars.
• Views: Contain partial content that is injected into a template. A view typically represents a specific section of a page rather than the entire layout.

Templates can load views, but views do not load templates. This separation ensures that templates maintain a consistent page structure while views handle dynamic content.

Where Templates Are Stored

Templates in Trongate are organized within a dedicated module named templates, located in the root directory of your application.

The Templates Module

The templates directory functions as a standard Trongate module, ensuring global accessibility while maintaining the framework's modular architecture. This module typically includes:

• controllers/: Contains Templates.php, the controller responsible for loading templates.
• views/: Stores the template files that define the structure of web pages.

Design Philosophy

Trongate's approach to templates is guided by the following principles:

• Stability: Trongate emphasizes long-term stability, allowing developers to build applications with confidence.
• Performance: Templates are designed to minimize overhead, ensuring efficient page rendering.
• Flexibility: Trongate provides developers with the freedom to implement custom designs or integrate third-party libraries as needed.

Independence from Third-Party Dependencies

Trongate does not impose dependencies on external CSS or JavaScript libraries. Unlike some frameworks that are tightly coupled with specific frontend tools (e.g., Bootstrap or Tailwind), Trongate allows developers to choose their preferred technologies. This approach avoids common issues such as dependency conflicts, security vulnerabilities, and design limitations.

In Summary

Trongate's templating system offers developers a flexible and robust foundation for building web applications. By combining pure PHP with a modular structure, Trongate enables the creation of consistent, reusable templates without imposing unnecessary restrictions. Whether you prefer to build from scratch or integrate third-party tools, Trongate provides the tools and flexibility to meet your needs.

In Trongate, templates are loaded from within controllers using the template method. This technique ensures that pages can follow a defined layout while having dynamic content to be inserted as needed.

Basic Syntax

To load a template, use the template method within a controller:

In this example:

• The first parameter ('public') specifies which method should be invoked from the Templates class
• The second parameter ($data) is an optional associative array containing variables to be passed into the template

How Templates Work

When you call $this->template(), Trongate looks for a corresponding method in the Templates class. Here's an example of how the Templates class is structured:

The load() method is responsible for:

• Loading the template file from the templates/views/ directory
• Making the $data array variables available to the template
• Handling the rendering of the template content

Template File Structure

Template files are PHP files stored in the templates/views/ directory. Usually, most of the content within a template file will be HTML code. However, one of the strengths of PHP is that it can be seamlessly integrated with HTML. Therefore, it's normal for template files to also contain some PHP code, as well as HTML. Here's an example of a template file (named as 'public.php'):

Key points about the template file:

• The template provides the overall HTML structure for your pages
• Template::display($data) is where your view content will be injected
• Template files have access to framework constants like BASE_URL and helper functions like anchor()

Dynamic Template Selection

Trongate allows templates to be dynamically switched at runtime based on context. For example, different templates can be loaded depending on a user's authentication status or access level.

Example: Loading a Template Based on User Level

In this case:

• Admins see the template defined in admin() method of the Templates class
• Other authenticated users see the template defined in members_area() method
• Non-authenticated users are redirected to the login page

When working with templates in Trongate, it's important to understand how they work with view files, and how data is passed between templates and views. This section explains the mechanisms that templates use to locate, load and inject content from view files.

How Templates Locate View Files

When you call the template() method, Trongate needs to determine which view file to load into the template. This process is governed by two key properties in your $data array:

• view_module: Tells the template which module contains the view file
• view_file: Specifies the name of the view file to load

View File Resolution Process

Let's examine how a template locates a view file through a practical example. Consider this URL:

And the corresponding controller code:

In this case:

• When the template is loaded, it looks for the view file based on view_module
• Since view_module is set to 'inventory', the template will look in that module's views directory
• The view file will be loaded from: modules/inventory/views/product_details.php

Default View Module Resolution

If view_module is not specified in the $data array, the template will use the first URL segment to determine where to look for the view file. For example:

In this case, since the URL begins with 'products', the template will look for the view file at:

Data Passing Between Templates and Views

Templates in Trongate automatically make variables from the $data array available to both the template file and the loaded view file. This happens through an automatic extraction process.

Example: Data Extraction

The template system will make first_name available directly in both the template and view file:

This automatic extraction removes the need for manually unpacking variables from the $data array, making your template and view files cleaner and more intuitive to work with.

The Template Display Method

Within your template files, use the display() method to specify where the view content should be inserted.

The display() method is a static method that exists within Trongate's internal Template class. Within a template file, this can be invoked with the following line of code:

Below is an example of a template file that uses the display() method to inject view file content into the page.

The Template::display() method:

• Loads the appropriate view file based on view_module and view_file
• Makes all $data variables available to the view
• Injects the rendered view content into the template

Partials are reusable pieces of code that represent specific sections of a web page. They allow developers to break down complex templates into smaller, more manageable components. Common examples of partials include:

• Headers
• Footers
• Navigation bars
• Sidebars
• Login forms

By using partials, you can maintain a consistent design across your application while reducing code duplication.

How to Use Partials

In Trongate, partials are loaded using the partial() method. This method allows you to include a partial file from the templates/views/ directory. Here's a basic example:

In this example, the footer.php file located in templates/views/ will be included in the template.

Passing Data to Partials

Partials can receive and display data passed from the calling module. You can pass data to a partial by including a $data array as the second argument:

Inside the partial, all variables in the $data array are automatically extracted and can be accessed directly. For example, if $data['year'] = 2023, you can use $year inside the partial.

Nested Partials

Partials can include other partials, allowing you to create complex, nested structures. For example, a footer.php partial might itself include a social_links.php partial:

This nesting capability makes partials a powerful tool for building modular and reusable templates.

Example: Template Without Partials

Here's an example of a template that does not use partials:

Example: Template With Partials

Here's the same template, but with the footer being loaded as a partial:

Organizing Partials into Subdirectories

If you prefer to organize your partials into subdirectories (e.g., templates/views/partials/), you can do so by specifying the full path when calling Template::partial(). For example:

This would look for templates/views/partials/footer.php.

In Summary

Partials are a powerful feature in Trongate that allow you to break down your templates into reusable components. Whether you're building a simple website or a complex web application, partials can help you maintain a clean and organized codebase. By using Template::partial(), you can easily include global or module-specific partials, pass data to them, and even nest partials within each other.

HTML templates often need to load different JavaScript or CSS files depending on the specific page being rendered. Trongate provides a flexible system for handling these additional includes through the _build_additional_includes() method in the Templates class.

Understanding Additional Includes

Additional includes allow you to dynamically add CSS and JavaScript files to your templates. These includes can be placed either in the header (top) or footer (bottom) of your HTML document.

Basic Structure

The Templates class processes additional includes using two key variables:

• $additional_includes_top: For files that need to be included in the document head
• $additional_includes_btm: For files that need to be included at the bottom of the body

Implementation in Templates

Here's how to implement additional includes in your template method:

Template Usage

In your template file (e.g., admin.php), you can place the includes variables where you want the files to be loaded:

Adding Files from Controllers

To add additional files from your controllers, pass them in the $data array:

How It Works

The _build_additional_includes() method processes the files based on their extension:

• For .js files: Generates <script src="..."></script> tags
• For .css files: Generates <link rel="stylesheet" href="..."> tags
• For other file types: Includes the file path as-is

The method also maintains proper HTML formatting by:

• Adding appropriate indentation
• Handling newlines for clean source code
• Ensuring proper closing of HTML tags

Trongate allows you to create custom HTML templates to define the structure and layout of your web pages. This guide will walk you through the process of creating your own template.

Template Location

Templates in Trongate are stored within the 'templates' module, which is located in your application's root directory. This module follows the standard Trongate module structure, containing both 'controllers' and 'views' directories.

Creating a Custom Template

Step 1: Define Your Template Name

Choose a meaningful name for your template that reflects its purpose. Template names should be in snake_case format and clearly indicate the template's intended use. Some examples of good template names include:

• public_template
• admin_dashboard
• member_portal
• auth_pages
• sales_backend

Step 2: Create the Template Method

Open the Templates.php controller file in your templates/controllers directory and add a new method for your template:

Step 3: Create the Template View

Create a new PHP file in your templates/views directory with the same name as your template method. For example, if your method is named 'custom_template', create custom_template.php:

Key Template Components

Your template should include several important elements:

• The base tag with BASE_URL for proper path resolution
• Core stylesheet includes for your application
• The Template::display($data) call where page content will be injected
• Placeholders for additional includes ($additional_includes_top and $additional_includes_btm)

Using Your Template

To use your new template from any controller, specify it when calling the template method:

While templates provide a way to structure individual pages, Trongate's theming system offers a more comprehensive approach to managing your application's appearance. Themes allow you to package templates together with assets such as; stylesheets, fonts, images and JavaScript files to create cohesive design packages.

Beyond Templates

A template is essentially an HTML file with embedded PHP code that defines a page's structure. However, modern web applications often require more sophisticated styling solutions that go beyond simple HTML templates. You might need:

• Multiple coordinated color schemes
• Custom typography and fonts
• Comprehensive icon sets
• Standardized UI components
• JavaScript enhancements
• Theme-specific assets and images

This is where Trongate's theming system comes into play, providing a structured way to manage all these design elements.

Theme Architecture

In Trongate, a theme is more than just a collection of templates - it's a complete design package. Themes are defined in the themes.php configuration file and are structured to provide flexible, reusable design systems.

The Default Admin Theme

Trongate ships with a built-in 'admin' theme, which serves as an excellent example of the theming system's capabilities. This theme is implemented through the admin() method in the Templates class:

While this method appears similar to standard template loading, it actually triggers Trongate's theme loading mechanism, pulling resources from the themes directory rather than the standard templates directory.

Theme Configuration

Themes are defined in config/themes.php. Here's how the admin theme is configured:

The configuration specifies:

• dir: The theme's directory path relative to the themes directory
• template: The primary template file for the theme

Color Scheme Management

The admin theme demonstrates one of Trongate's powerful theming features: easy color scheme switching. By modifying the dir path from default_admin/blue to default_admin/red, you can instantly switch the entire admin interface to a different color scheme.

Theme Structure

A typical Trongate theme directory contains:

• Template files (.php)
• Stylesheets (.css)
• JavaScript files (.js)
• Theme-specific assets (images, fonts, icons)
• Color scheme variations

This structured approach allows themes to provide comprehensive design solutions while maintaining clean separation between different visual aspects of your application.

This section covers the practical aspects of working with themes in Trongate, including theme structure, asset management, and theme creation.

Theme Location and Structure

Themes in Trongate are stored in the public/themes/ directory. Within this directory, you have complete flexibility to structure your themes as needed for your application.

Example: Admin Theme Structure

The default admin theme demonstrates one possible way to organize theme variations:

Alternative structures are possible. For example, a theme with shared assets might use:

Managing Theme Assets

Trongate provides the THEME_DIR constant for referencing theme-specific assets. This constant becomes available when a theme is loaded.

Example: Loading Theme-Specific and Shared Assets

This approach allows you to:

• Share common assets across theme variations
• Override specific styles for each variation
• Maintain a clean separation between shared and variation-specific assets

Registering Themes

Themes are registered in the config/themes.php file. Each theme requires two key properties:

• dir: The theme's directory path relative to public/themes/
• template: The primary template file for the theme

Example: Theme Registration

Theme Loading Process

When a theme is loaded via the template() method, Trongate:

1. Checks if the requested template exists in THEMES
2. If found, constructs the theme path using the theme's directory and template file
3. Defines THEME_DIR for asset referencing
4. Loads the template file with any provided data

The Benefits of Using Themes

While templates serve their purpose for basic page layouts, themes offer several significant advantages that make them invaluable for modern web applications:

• Portability: Entire design packages can be contained within a single folder, making them easy to transfer between projects or share with the community
• Complete Design Systems: Themes can include everything needed for a consistent look and feel:
  • Templates
  • Stylesheets
  • JavaScript files
  • Images and icons
  • Fonts
  • Color schemes
• Easy Switching: Change the entire appearance of your application by modifying a single line in your theme configuration
• Version Control: Keep entire design packages under version control as a single unit, making it easier to track design changes
• Resource Management: The THEME_DIR constant provides a reliable way to reference theme-specific assets, eliminating path management headaches
• Multiple Variations: Support different color schemes or design variations without duplicating your entire codebase
• Clean Separation: Keep design assets separate from your application logic, improving maintainability
• Rapid Deployment: Quick implementation of new designs by switching themes, perfect for A/B testing or seasonal changes

These benefits make themes particularly valuable for applications that require flexible styling, multiple design variations, or the ability to quickly change their appearance.

Trongate's theming system allows you to create comprehensive design packages that include templates, stylesheets, JavaScript files, and other assets. This guide will walk you through the process of creating your own custom theme.

Theme Location

Themes in Trongate are stored in the public/themes directory of your application. Each theme gets its own subdirectory where all its resources are contained.

Creating a Custom Theme

Step 1: Plan Your Theme Structure

Before creating your theme, plan its structure and organization. Consider what elements your theme needs:

• Template files (.php)
• Stylesheets (.css)
• JavaScript files (.js)
• Images and icons
• Other assets (if needed)

Step 2: Create the Theme Directory

Create a new directory in public/themes for your theme. Choose a descriptive name that reflects its purpose. For example:

Step 3: Create the Template File

Create your main template file (e.g., dashboard.php) in your theme directory:

Step 4: Register Your Theme

Open config/themes.php and add your theme configuration:

Key Theme Components

Your theme should include:

• A well-organized directory structure for assets
• The base tag with BASE_URL for proper path resolution
• Proper use of THEME_DIR for asset references
• The Template::display($data) call for content injection
• Support for additional includes ($additional_includes_top and $additional_includes_btm)

Using Your Theme

To use your new theme from any controller, specify it when calling the template method:

Creating Theme Variations

To create variations of your theme (e.g., different color schemes):

1. Create a new directory within your theme folder for each variation
2. Include variation-specific assets (CSS, images, etc.)
3. Register each variation in themes.php
4. Keep shared assets in a common location

Trongate supports 'flashdata'. Flashdata is session data that will only be available for the next request, before being automatically removed. This can be useful for one-time informational messages (for example: 'The record was successfully created').

To Set Flashdata

Flashdata can be set using the set_flashdata() function, like so:

This is assuming that you have a message which, in this instance, has been assigned to a $msg variable. For example.

Of course, you can save a line of code by passing your message directly into your flashdata declaration. For example:

Displaying Flashdata

Flashdata can be displayed by calling flashdata() from within a view file.

By default, flashdata messages will be displayed as green text within a paragraph. However, you can change the format of your flashdata by adding optional opening and closing tags as arguments. For example:

Below is an example of a view file that contains the flashdata() method.

Trongate is loaded with a variety of features that can assist with the uploading of files such as images. Before exploring Trongate's file validation helper, let's have a reminder of how to draw a file uploader form using Trongate:

The code above could be used to produce a form that looks like this:

Understanding The Uploader Form

The uploader form, above, starts by invoking the form_open_upload() method.

As can see, an argument has been passed into the method. The argument represents the destination for the uploader form. The destination is the URL where the user is sent to when the form is submitted. The opening line produces the following HTML code:

Next, we invoked Trongate's validation_errors() method.

The validation_errors() method displays form validation errors, if there are any.

After displaying some text-based instructions, the next important part of our form is:

The form_file_select method displays a form file uploader field. As you can see, the argument 'picture' has been passed into the method. The 'picture' argument represents the name of the file uploader form field. The HTML code that gets generated from the form_file_select() method is shown below:

The 'submit' button has been assigned with a name of 'submit' but the word 'Upload' appears inside the button.

The uploader form is closed by invoking form_close() .

The Trongate framework includes a built-in Pagination class for generating numbered navigation links when displaying multiple pages of content. Below is an example of the pagination output generated by Trongate:

How It Works

Trongate's pagination helper is available for immediate use and can be implemented in three steps:

1. Define Pagination Data - Create an array in the controller.
2. Pass Data to View - Send the pagination data to a view file.
3. Invoke Pagination - Call the pagination helper from the view file.

Defining Pagination Data

The following example demonstrates how to configure pagination data:

The pagination helper does not interact directly with the database. Instead, it uses predefined data from a results set.

Required Properties

The following properties must be included in the $pagination_data array. If any are missing or have an incorrect type, the script will terminate with an error message (e.g., "Pagination Error: Missing required property: total_rows (expected type: int)").

• total_rows: The total number of records available. Type: int

• limit: The maximum number of records per page. Type: int

• record_name_plural: Specifies the plural label for the records. Type: string

Optional Properties

These properties are optional and have default values if not specified. They allow customization of the pagination behavior and appearance.

• page_num_segment: The URL segment number indicating the current page. If not specified (default: null), the last URL segment is used if numeric; otherwise, it defaults to page 1. Type: int

• pagination_root: The base URL for pagination links. If not specified (default: null), it is derived from the current URL, removing the last segment if numeric, and ensuring a trailing slash. Type: string

• include_showing_statement: Determines whether a "Showing x to y of z" statement is displayed above the pagination links. Default: false. Type: bool

• include_css: Determines whether default CSS styles are included in the output as a <style> block. Default: false. If omitted or false, you must style the pagination links yourself. Type: bool

• num_links_per_page: The maximum number of numbered pagination links to display. Default: 10. Links are centered around the current page. Type: int

• settings: An array to customize the HTML structure, labels, and ARIA attributes of pagination links. Default: an empty array ([]), which uses predefined defaults (see "Customizing Pagination with settings"). Type: array

Customizing Pagination with settings

The settings property allows you to override the default appearance and behavior of pagination links. If not provided, the class uses a predefined $default_settings array. You can specify custom values for any of the following keys:

• pagination_open: Opening tag for the pagination container. Default: <div class="pagination">
• pagination_close: Closing tag for the pagination container. Default: </div>
• cur_link_open: Opening tag for the current page link. Default: <a class="active">
• cur_link_close: Closing tag for the current page link. Default: </a>
• num_link_open: Opening tag for numbered links. Default: '' (empty string)
• num_link_close: Closing tag for numbered links. Default: '' (empty string)
• first_link: Text for the "First" button. Default: First
• first_link_open: Opening tag for the "First" button. Default: ''
• first_link_close: Closing tag for the "First" button. Default: ''
• first_link_aria_label: ARIA label for the "First" button. Default: First page
• last_link: Text for the "Last" button. Default: Last
• last_link_open: Opening tag for the "Last" button. Default: ''
• last_link_close: Closing tag for the "Last" button. Default: ''
• last_link_aria_label: ARIA label for the "Last" button. Default: Last page
• prev_link: Text for the "Previous" button. Default: «
• prev_link_open: Opening tag for the "Previous" button. Default: ''
• prev_link_close: Closing tag for the "Previous" button. Default: ''
• prev_link_aria_label: ARIA label for the "Previous" button. Default: Previous page
• next_link: Text for the "Next" button. Default: »
• next_link_open: Opening tag for the "Next" button. Default: ''
• next_link_close: Closing tag for the "Next" button. Default: ''
• next_link_aria_label: ARIA label for the "Next" button. Default: Next page

Example:

If any required keys are missing from your custom settings array, the script will terminate with an error (e.g., "Pagination Error: Missing required settings property: pagination_open").

Default CSS with include_css

When include_css is set to true, the following CSS is injected into the HTML output as a <style> block:

This provides a clean, responsive design with hover effects, an active state, and larger touch targets on mobile devices. If you prefer custom styles, set include_css to false and define your own CSS.

Derived Properties

The Pagination class calculates the following properties automatically and adds them to $pagination_data. These are not set manually but are available for reference:

• root: The full base URL for pagination links (e.g., http://example.com/books/manage/).
• current_page: The current page number (e.g., 2).
• start: The first page number in the link range (e.g., 1).
• end: The last page number in the link range (e.g., 10).
• num_links_to_side: Half of num_links_per_page for link distribution (e.g., 5).
• num_pages: Total number of pages (e.g., ceil(total_rows / limit)).
• prev: Previous page number or empty string if on page 1.
• next: Next page number or last page number if on the last page.
• showing_statement: Text like "Showing 11 to 20 of 100 books." if include_showing_statement is true.

Passing Pagination Data to a View File

The example below demonstrates how to declare and pass pagination data in a controller:

Invoking Pagination from a View File

Once the pagination data has been passed into a view file, pagination elements can be rendered by invoking the display() method:

Mobile-Friendly Pagination

When viewed on smaller screens, pagination components can extend beyond the screen width, leading to usability issues. The default CSS (with include_css set to true) includes a media query for screens under 550px, increasing padding for touch targets. For further customization, consider these approaches:

• Using CSS media queries to hide or modify pagination elements on smaller screens.
• Implementing a simplified mobile format (e.g., "Previous" and "Next" buttons only).
• Using JavaScript to dynamically adjust pagination based on screen width.

Below is an example JavaScript solution for mobile pagination:

The JavaScript code shown above is structured around three main functions:

1. managePagination(): The central function that coordinates everything
   • Sets opacity to 0 during manipulation
   • Checks viewport width and applies the appropriate view
   • Reveals the pagination after changes are complete
2. applyMobileView(): Handles the mobile view (screens < 840px)
   • Adds the "pagination-mobile" class for styling hooks
   • Shows only essential elements: active page, previous («), and next (»)
   • Hides all other pagination links
3. applyDesktopView(): Handles the desktop view (screens ≥ 840px)
   • Removes the "pagination-mobile" class
   • Shows all pagination links

The code also includes debounced resize handling to prevent performance issues during browser resizing.

This approach gives us the best of both worlds - a fully featured pagination on desktop and a simplified, touch-friendly version on mobile, all while maintaining the core functionality of the Trongate framework.

Final Thoughts

Trongate's Pagination class provides a flexible way to add pagination to webpages. Recent enhancements include automatic URL segment detection, customizable settings, and ARIA attributes for accessibility. Whether using the default styles with include_css or tailoring the output with custom settings, the class offers a robust solution for developers.

Trongate includes several useful features that are not part of any specific helper file or class but play an integral role in streamlining web development. These features can be accessed from within any module controller or view file.

The Anchor Function

The anchor() function generates a clickable text link pointing to a URL relative to BASE_URL.

For instance, if the website example.com has a homepage located at:

A contact page at https://example.com/contact can be linked using:

This function accepts up to three parameters:

• $target_url ~ The destination URL.
• $text ~ The displayed link text.
• $attributes (optional) ~ An array of key-value pairs added to the opening 'a' tag.

This function supports both internal and external links by providing a full URL as an argument.

The IP Address Function

The ip_address() function returns the IP address of the current visitor. Syntax:

Example usage in a view file:

Generating Random Strings

The make_rand_str() function generates random strings. Example:

The first argument specifies the string length. Passing true as a second argument ensures uppercase output:

APPPATH

The APPPATH constant returns the absolute file path of the application directory. Example:

Within a view file, the APPPATH can be rendered using PHP short tags, like so:

The JSON Function

The json() function provides a visual representation of data within controllers or views. Syntax:

The optional second argument, when set to true, terminates script execution after displaying the data.

Example usage in a view file:

Sample output:

The Out Function

The out() function escapes and formats strings for safe output in different contexts. Parameters:

• $input ~ The string to escape.
• $encoding (optional) ~ Character encoding (default: 'UTF-8').
• $output_format (optional) ~ Output format: 'html' (default), 'xml', 'json', 'javascript', or 'attribute'.

Example 1: Safe Output from JSON Data

Example 2: Securing Database Output

Trongate contains a wide assortment of in-built form helpers to assist with form building. Form helpers are a set of PHP functions designed to simplify the process of creating and managing HTML forms within your application.

With Trongate, all form helpers are available immediately and with no requirement to load anything. There is also no need to update any configuration files if you want to use Trongate's form helpers. In short, they just work "out of the box".

Opening A Form

The creation of an HTML form that posts data to an endpoint (URL) requires a form opening tag. A form opening tag typically contains:

1. A method property
2. A form location

In normal (vanilla) HTML, this could be written like so:

Trongate's Form Open Function

With Trongate's form_open() function, an opening form tag can easily be rendered from within a view file. For example:

Having this code inside a view file will result in the following HTML being rendered:

Rendering Form Elements

Having produced a form opening tag, your next goal should be to render form elements such as form input fields. A full breakdown of all available form elements can be viewed here. In the meantime, and for brevity, here are some commonly used form helpers that can be used to generate form elements.

Input Fields

The form_input() helper function can be used to create an HTML form input element, for text input. For example:

In the code sample above, the first parameter represents the 'name' attribute, and the second is the default value. This means that the above code snippet would render a form input field that has been pre-populated with the username, 'John'.

The PHP code above would render the following HTML:

Textareas

The form_textarea() function mirrors form_input() in every way except that it creates a "textarea" element.

In the code sample above, the first parameter represents the 'name' attribute, and the second is the default value for the textarea. In the code snippet above, the default value has been set to an empty string. This would produce an empty textarea element, like so:

Dropdowns

The form_dropdown() helper function generates an HTML select (dropdown) element with multiple options. For example:

In the example above, the first parameter represents the 'name' attribute, the second is an associative array of options, and the third is the selected option.

Here's the HTML that would be rendered by the above code sample:

Checkboxes and Radio Buttons

The form_checkbox() and form_radio() helper functions are used to create checkbox and radio button elements, respectively. For example:

In the code above, the first parameter represents the 'name' attribute, the second is the value, and the third is a boolean indicating whether the element should be checked by default.

Here's the HTML code that would be produced from the form_checkbox() code snippet, as shown above:

Here's the HTML code that would be produced from the form_radio() code snippet, as shown above:

File Input

The form_file_select() helper function generates an HTML file input element for file uploads. For example:

In this example, the first parameter represents the 'name' attribute of the file input element.

Here's the HTML code that would be produced from the above code snippet:

Submit Button

The form_submit() helper function creates an HTML submit button for submitting forms. For example:

In the example above, the first parameter represents the 'name' attribute, and the second is the button's label text.

Here's the HTML code that would be produced from the above code snippet:

Closing the Form

The form_close() helper function is used to close an open form. It not only generates the closing form tag but also includes a hidden CSRF token field for enhanced security. For example:

Here's the HTML code that would be produced from the above code snippet:

Note: The [random_token] placeholder represents a dynamically generated CSRF token value for security purposes.

Form Attributes

Most of Trongate's form helper functions can accept an array of attributes to customize form elements:

This will generate an input field with the specified class and style attributes.

Complete Form Example

Below is a complete example of how to create a form in Trongate. This example includes a controller method and a corresponding view file.

Controller Method

The controller method initializes the form data and passes it to the view file:

View File

The view file contains the HTML and PHP code to render the form:

This example demonstrates how to create a form for adding a new task. The form includes fields for the task title, description, and a checkbox to mark the task as complete. The form also includes a submit button and a cancel link.

The Benefits of Using Trongate's Form Helpers

Trongate's form helper functions offer several advantages over raw HTML:

• Automatic Security: Values are escaped using HTML entity encoding to prevent XSS vulnerabilities.
• Validation Integration: Seamless error highlighting and repopulation after form validation failures.
• CSRF Protection: Built-in CSRF token generation through the form_close() function.
• Consistent Syntax: PHP-based helpers reduce context switching between HTML and PHP.
• Reduced Boilerplate: Simplified creation of complex elements like dropdowns and checkboxes.

In Trongate, retrieving data submitted through HTML forms is both straightforward and secure. The framework provides a range of tools to help you access, clean, and process form data effectively. Whether you're working with standard form submissions or JSON payloads, Trongate ensures consistency and simplicity in handling user inputs.

Form Data Handling in Trongate

Trongate supports retrieving data across all HTTP methods (GET, POST, PUT, PATCH, DELETE). Form data can be retrieved seamlessly, whether it is submitted via form-encoded content or as JSON payloads. Additionally, the framework includes features to clean and normalise user input where required.

The post() Function

The post() function is a powerful tool for accessing form data. It allows you to retrieve data from any HTTP request and works with both form-encoded and JSON payloads. The function also includes an optional cleanup mechanism for trimming whitespace and normalising internal spaces.

Basic Usage

To retrieve the value of a specific form field, call the post() function with the field name:

This will return the value of the task_title field. If the field does not exist, the function will return an empty string.

Cleaning Up Data

By passing true as the second argument to post() , you can clean up the retrieved data. This process trims any leading or trailing spaces and reduces multiple spaces within the string to a single space:

   Michael           Jackson   

Michael Jackson

Working with Form Data in Controllers

Below is an example of how you might retrieve and process form data in a Trongate controller:

Conclusion

Retrieving form data in Trongate is designed to be straightforward, secure, and efficient. By using tools like the post() function, you can handle user input with confidence, whether it originates from standard HTML forms or complex JSON payloads. This consistent approach ensures a smooth development experience for handling form submissions across different scenarios.

Form validation is a crucial aspect of web development, ensuring that user-submitted data meets the required criteria before being processed or stored. Proper validation not only improves user experience by providing immediate feedback but also protects your application from common security threats such as SQL injection, cross-site scripting (XSS), and data corruption. The Trongate PHP framework provides a robust and flexible validation system that simplifies the process of validating form inputs.

Overview of Trongate's Validation System

Trongate's validation system is designed to be intuitive and easy to use. It allows developers to define validation rules for form fields, automatically handle error messages, and ensure that only valid data is processed. The validation process is managed by the Validation class, which provides methods for setting rules, running validation checks, and handling errors.

Key Features of Trongate's Validation System

• Flexible Rule Definition: You can define validation rules for each form field, including required fields, minimum and maximum lengths, numeric values, email validation, and more. For example, you can easily set rules like required|min_length[2]|max_length[255] to ensure a username is between 2 and 255 characters long.
• Automatic Error Handling: The system automatically generates and displays error messages for invalid inputs, making it easy to provide feedback to users. Error messages can be displayed either as a block at the top of the form or inline next to each field.
• CSRF Protection: Trongate includes built-in CSRF (Cross-Site Request Forgery) protection to secure your forms against malicious attacks. Each form submission is automatically checked for a valid CSRF token, ensuring that the request originated from your application.
• Custom Validation: You can create custom validation rules and callbacks to handle specific validation requirements. For example, you can enforce rules like "The last name cannot be 'Rambo'" by defining a custom validation method.

Implementing Form Validation in Trongate

Let's walk through the process of implementing form validation in a Trongate application.

Step 1: Define Validation Rules

In your controller (e.g., Tasks.php), you can define validation rules for each form field using the set_rules method. This method takes three parameters:

1. Field Name: The name of the form field.
2. Field Label: The label used in error messages.
3. Validation Rules: A string or array of rules to apply to the field.

For example, in the submit method of the Tasks controller, the following rules are defined for the task_title and task_description fields:

$this->validation->set_rules('task_title', 'Task Title', 'required|min_length[2]|max_length[255]');
$this->validation->set_rules('task_description', 'Task Description', 'required|min_length[2]');

These rules ensure that:

• The task_title field is required, has a minimum length of 2 characters, and a maximum length of 255 characters.
• The task_description field is required and has a minimum length of 2 characters.

Step 2: Run the Validation

After defining the validation rules, you can run the validation checks using the run method. This method returns true if all validation rules pass, or false if any validation errors occur.

$result = $this->validation->run();

if ($result === true) {
  // Validation passed, process the form data
} else {
  // Validation failed, redisplay the form with error messages
  $this->create();
}

If validation fails, the form is redisplayed with error messages, allowing the user to correct their inputs.

An Alternative Syntax for Setting Form Validation Rules

While the pipe symbol syntax, as demonstrated earlier, is efficient and concise, it can become unwieldy when dealing with forms that contain multiple fields and complex validation rules. To address this, the Trongate framework offers an alternative syntax for setting form validation rules: Array-Based Rule Setting. This approach provides a more structured, readable, and maintainable way to define validation rules for your forms.

How It Works

In the Array-Based approach, instead of chaining validation rules using the pipe symbol |, you define each rule as part of an associative array. In this syntax, the keys represent the form field names, and each field is assigned an array of validation rules. This provides better organisation and flexibility, especially for forms with many fields and complex requirements. Here's an example:

Now, let's compare the two approaches for setting validation rules:

Using the Pipe Symbol to Chain Validation Rules:

Using Array-Based Syntax to Define Validation Rules:

While the array-based syntax requires more lines of code, it offers a more organised structure and takes up less horizontal space compared to the pipe symbol approach. Ultimately, the choice between these two methods depends on your project's needs and your preferred coding style.

Key Points Regarding Setting Validation Rules

• Each form field is assigned its own set of validation rules within a sub-array.
• Validation rules are defined as key-value pairs within each field's sub-array.
• The main $validation_rules array uses field names as keys.

All of the validation rules that have been used in this page are built into the framework. In other words, the inner workings of the various validation rules have been written into the Trongate framework. In the next section, we'll explore how to set your own custom form validation rules.

In certain scenarios, you may need to implement form validation checks that go beyond the built-in rules provided by Trongate's Validation class. In such cases, custom form validation callbacks become invaluable.

General Concept

When using Trongate's Validation class to apply form validation checks, the set_rules method plays a crucial role in defining the validation rules for specific form fields. For instance, the following code ensures that both the 'first_name' and 'last_name' fields must:

• Not be empty
• Be at least 2 characters long
• Be no more than 255 characters long

Adding Custom Validation Checks

To implement validation rules not covered by Trongate's default tests, you can create custom validation callbacks. For example, let's say you want to enforce the rule: "The last name cannot be 'Rambo'". To do this, follow these steps:

1. Declare the custom validation check.
2. Create a method to define the behavior of the custom validation check.

Declaring a Custom Validation Check

To declare a custom validation rule, prepend the rule name with 'callback_', followed by the name of the method that will handle the validation logic. For example, if you have a method called check_last_name() for this custom validation, you would append it to the set_rules declaration for 'last_name' field, like so:

This means the block of code for applying form validation rules would now look like this:

Creating a Custom Validation Method

Custom validation methods automatically receive the posted form field value as an argument and should return either a boolean true (indicating validation success) or an error message (as a string). The following demonstrates the basic structure of a typical custom validation callback method:

To implement the custom rule where the last name cannot be "Rambo", the method would look like this:

If the submitted last_name fails the custom validation check, the following error message will be returned:

We don't want guys like you in this town.

On the other hand, if the submitted last_name passes the custom validation, the method will return true, and no error message will be generated.

In the next section, we will explore how display form validation errors.

The following table lists all of Trongate's built-in form validation rules, including those for file and image uploads.

When a form is submitted and validation errors are produced, it is standard practice to re-present the form to users. It's also standard practice to present users with form validation errors in those instances. This approach gives users an opportunity to correct their input without losing the information they have already entered.

The typical technique for re-presenting forms to end users is to invoke the method responsible for displaying the previous page (i.e., the page that renders the HTML form). For example:

By immediately re-invoking the create() method, as shown above, the entire page that renders the HTML form will be re-rendered.

When forms that produce validation errors are re-presented to the end user, an array of form validation errors will be made available.

There are two techniques that can be used to display validation errors:

1. Traditional
2. Inline

1. Traditional Validation Errors Display

This approach involves displaying all validation errors at once, typically at the top of the form.

How to Implement:

• Use the run() method to execute form validation checks.
• If the run() method returns a value of true (boolean), you may assume that the submitted form field values have passed all of the form validation checks.
• On the other hand, if the run() method returns a value of false (boolean), this means that one or more form validation errors have been produced.

The validation_errors() method will display all of the form validation errors together. The line of code responsible for rendering the validation errors is usually placed inside a view file and above the corresponding form.

2. Inline Validation Errors Display

Trongate offers an alternative methodology for displaying form validation errors: inline validation errors.

With inline validation errors applied, individual form validation errors are displayed next to their respective form fields, providing what some consider to be a more modern user experience.

How to Implement:

1. Add the class highlight-errors to your form tag.
2. For each form field, use the validation_errors() function with the field name as an argument.

For example:

This method will display errors inline, next to their respective fields.

By effectively utilizing these validation error display techniques, you can create user-friendly forms that provide clear feedback, improving the overall user experience of your Trongate application.

In Trongate, after form validation is complete, the next crucial step is processing the submitted data. This section covers the implementation patterns for handling validated form data.

The Data Processing Workflow

A typical form processing workflow in Trongate follows this pattern:

Processing Valid Submissions

When handling validated form data, you'll typically need to:

1. Collect the submitted data
2. Determine the operation type (insert or update)
3. Perform the database operation
4. Provide user feedback
5. Direct the user to the next appropriate page

Here's a real-world example that demonstrates this workflow:

Data Collection Strategies

The get_data_from_post() method is crucial for organizing form data. Here's an example that includes data transformation:

Handling data securely is a cornerstone of building robust web applications. This page outlines best practices for managing user input, database interactions, and data rendering in the Trongate PHP framework, ensuring your application remains secure and efficient.

Escaping Data: What and Why?

Escaping data is the process of converting potentially harmful characters into safe equivalents to prevent security vulnerabilities like Cross-Site Scripting (XSS). For example, converting < and > into < and > ensures that user input is treated as plain text, not executable code.

Example of XSS Vulnerability

Consider a forum where a user posts:

Without escaping, this script would execute in users' browsers, redirecting them to a malicious site. Proper escaping ensures the input is rendered as harmless text.

Common Misconceptions

A frequent mistake is escaping data before inserting it into the database. This corrupts the original data and limits its usability. Instead:

• Store raw data in the database.
• Escape data at the point of rendering to ensure it's safe for display.

Risks of Improper Data Handling

Failing to handle data securely can lead to:

• Cross-Site Scripting (XSS): Malicious scripts executed in users' browsers.
• SQL Injection: Unauthorized database access or manipulation.
• Data Corruption: Loss of critical information due to premature escaping.

Best Practices for Secure Data Handling

1. Validate Input

Ensure user input meets expected formats and values. Always validate on the server side, as client-side validation can be bypassed.

2. Sanitize Input

Remove unwanted characters (e.g., stripping HTML tags) to prevent injection attacks.

3. Escape at Rendering

Escape data when rendering it to the user, ensuring it's safe for the intended context (HTML, JavaScript, etc.).

4. Use Trongate's Model Class

The Trongate framework has a built-in Model class that has been designed for safe and effortless database interaction. If you use the Model class, you'll never have to worry about SQL injection attacks!

How To Safely Display Submitted Data

Trongate provides the out() function to safely escape and format data for various output contexts. It ensures that user-submitted data can be displayed securely, preventing issues such as Cross-Site Scripting (XSS).

The out() function supports the following output formats:

• HTML (default)
• XML
• JSON
• JavaScript
• HTML Attributes

When To Use out()

It's important to know when to use the out() function. Trongate's built-in helpers, such as form_input() , already handle escaping for you when generating form elements. This means that there is no need to use out() when rendering form elements by usage of Trongate's form helper functions. However, in other contexts, you should use the out() function, especially when manually outputting user-submitted data. Examples include:

• Displaying dynamic content directly in an HTML document
• Inserting user-submitted data into JavaScript, JSON, or XML
• Escaping data for use in custom HTML attributes

Example Usage:

Here's how you can use the out() function to escape user-submitted data for safe inclusion in an HTML context:

Other Output Formats:

You can specify the desired output format using the third parameter:

JSON:

JavaScript:

Best Practices:

• For dynamic content outside of form_helpers (e.g., displaying raw user input in HTML, JSON, or JavaScript), use the out() function to ensure proper escaping.
• When using Trongate's **form_helpers**, such as form_input() , you don't need to use out() for attributes, as escaping is already handled internally.
• Specify the appropriate output format for the context where the data will be used (e.g., JSON, JavaScript).

By using the out() function appropriately and relying on Trongate's built-in helpers where applicable, you can ensure your application remains secure while following best practices.

Database Interaction with Trongate's Model Class

Trongate's Model class simplifies secure database interactions. Use it to insert, update, and query data without compromising security.

Example: Inserting or Updating Records

In Summary

By following these best practices, you can ensure your Trongate application handles data securely and efficiently:

• Validate and sanitize user input.
• Escape data at the point of rendering using the out() function.
• Interact with the database securely using Trongate's Model class.

Adhering to these principles will help to keep your applications both robust and secure.

Trongate provides robust support for file handling and image manipulation through its built-in File and Image classes. These classes are designed to make file operations secure, efficient, and easy to manage. Whether you need to upload files, resize images, or perform other file-related tasks, Trongate has you covered.

File Class

The File class is a comprehensive file management tool that supports a wide range of file operations. It includes functionalities for reading, writing, and managing directories. The class is designed with security in mind, preventing access to critical directories and ensuring that file operations are performed safely.

Image Class

The Image class is specifically designed for handling image files. It supports various image formats (JPEG, GIF, PNG, WEBP) and provides functionalities for loading, resizing, and saving images. The class leverages PHP's GD library to perform these operations efficiently and securely.

Security Considerations

When handling files and images in a web environment, it is crucial to be aware of the security implications. Trongate's File and Image classes include measures such as validating upload paths to ensure they are within the application's directory structure and not in restricted areas. This helps mitigate risks associated with unauthorized access and directory traversal attacks. Always ensure that sensitive directories are protected and that file operations are performed within the application's scope. Additionally, consider the following best practices:

Next Steps

In the following sections, we will delve deeper into the specific methods and functionalities provided by the File and Image classes. You will learn how to use these classes to perform various file handling tasks and manipulate images effectively.

The Trongate File class provides a comprehensive suite of methods for efficient and secure file management within your application. This class supports functionalities like uploading, deleting, reading, writing files, and managing directories. Access restrictions are in place to prevent unauthorized access to critical directories such as 'config', 'engine', and 'templates', as well as any files directly under the root application level (e.g., '.htaccess').

Getting Started

To use the Trongate File class, you need to instantiate the class and then call its methods. Here’s a basic example of how to use the read() method:

Available Methods

Below is a table listing all the available methods in the Trongate File class, along with a brief description of each method:

The Trongate Image class provides a comprehensive suite of methods for efficient and secure image manipulation within your application. This class supports functionalities like loading, resizing, and saving images. It uses PHP's GD library and supports JPEG, GIF, PNG, and WEBP image formats. Access restrictions are in place to prevent unauthorized access to critical directories such as 'config', 'engine', and 'templates', as well as any files directly under the root application level (e.g., '.htaccess').

Getting Started

To use the Trongate Image class, you need to instantiate the class and then call its methods. Here’s a basic example:

This example demonstrates how to load an image from a specific directory, resize it, and save the resized image to another directory, all while using Trongate's APPPATH constant for path management.

Available Methods

Below is a table listing all the available methods in the Trongate Image class, along with a brief description of each method:

Trongate provides the necessary tools to build custom file uploaders. The process of building a file uploader is similar to building any other form, but with a few additional steps to handle the file itself.

Here is a list of the main components that make up a custom file uploader:

• A webpage with a file upload form: This is the user interface that allows users to select a file and submit it to the server.
• A method for receiving post requests from the uploader: This is the server-side code that handles the file once it has been submitted by the user.
• Some validation tests: These ensure that the submitted file meets the requirements set by the application (e.g., file type, size).
• A means of gracefully dealing with errors: This includes handling errors that occur during validation, as well as errors that may happen during the file upload process.
• A destination directory where files are to be uploaded to: This is the location on the server where the uploaded file will be saved.
• A little bit of configuration: This includes setting up the destination directory and any other settings that the application requires.
• A success message or page: This is the message or page that is displayed to the user once the file has been successfully uploaded.

Most of these components are similar to what you would expect in any form-building scenario. The upcoming sections of this chapter will provide a detailed guide on how to build each of these components and put them together to create a custom file uploader using Trongate.

Trongate’s Two Upload Methods

The main Trongate class (Trongate.php) contains two distinct methods for handling file uploads: upload_file() and upload_picture() . While both methods facilitate file uploads, they serve different purposes and are optimized for different scenarios.

The upload_file() Method

The upload_file() method is designed for general-purpose file uploads. It handles the basic process of moving a file from a temporary location to its final destination on your server. This method is ideal when you need to:

• Upload non-image files (PDFs, text files, documents, etc.)
• Upload images without requiring any additional processing
• Perform basic file operations without any specialized handling

The upload_picture() Method

The upload_picture() method is specifically designed for handling image uploads that require additional processing. Beyond the basic upload functionality, this method can:

• Automatically resize images to meet specified dimensions
• Generate thumbnails of uploaded images
• Handle image-specific validation and processing

Choosing the Right Method

When building a file uploader, selecting the appropriate method is crucial. Here's a guide to help you make the right choice:

Use upload_file() when:

• You're uploading non-image files (documents, PDFs, etc.)
• You need to upload images but don't require any resizing or thumbnail generation
• You want simple, straightforward file handling without additional processing

Use upload_picture() when:

• You're working specifically with image files (JPEG, PNG, GIF, etc.)
• You need automatic image resizing capabilities
• You want to generate thumbnails automatically
• You require image-specific processing or validation

Handling Mixed File Types

If your application needs to handle both image and non-image files, you can implement logic to determine which method to use based on the file type. Here's an example:

In the next sections, we'll look at practical examples of how to implement both types of uploaders and explore their configuration options in detail.

Let's walk through building a document uploader using Trongate's upload_file() method. This example will demonstrate creating a secure PDF document uploader with proper validation and error handling.

Step 1: Create the Upload Form

Create a view file (e.g., upload_form.php) in your module's views directory:

Step 2: Create the Controller

Create a controller (e.g., documents.php) in your module's controllers directory:

Step 3: Create the Success View

Create a success view file (e.g., upload_success.php):

Directory Structure

Your module structure should look like this:

Understanding the Configuration Options

File Upload Validation Rules

Trongate provides several validation rules specifically for file uploads:

• required: Ensures a file was selected
• allowed_types[type1,type2]: Specify allowed file extensions (e.g., pdf,doc,txt)
• max_size[size_in_kb]: Maximum file size in kilobytes

Handling the Upload Response

On successful upload, upload_file() returns an array containing:

• file_name: The name of the uploaded file
• file_path: The complete server path to the uploaded file
• file_type: The MIME type of the uploaded file
• file_size: The size of the uploaded file in bytes

In the next section, we'll explore using the upload_picture() method, which provides additional features specifically for handling image uploads.

Let's walk through building an image uploader using Trongate's upload_picture() method. This example will demonstrate creating a secure image uploader that includes automatic image processing capabilities.

Step 1: Create the Upload Form

Create a view file in your module's views directory:

Step 2: Initialize Picture Settings

Create a method in your controller to define image settings:

Step 3: Create the Upload Handler

Add the upload handler method to your controller:

Directory Structure

Your module structure should look like this:

Understanding Picture Settings

In the next section, we'll take a closer look at how file validation, including image validation, is handled with Trongate.

Trongate provides a robust validation system for file uploads, ensuring that uploaded files meet specific criteria such as file type, size, and image dimensions. This guide focuses on the validation aspects of file and image uploads, building on the foundational knowledge from the previous section.

Key Validation Rules for File Uploads

When handling file uploads, Trongate allows you to define validation rules to ensure that uploaded files meet your application's requirements. These rules are applied using the set_rules() method in the Validation class.

Common Validation Rules

Here are the most commonly used validation rules for file uploads:

• allowed_types: Specifies the allowed file extensions (e.g., jpg, png, gif).
• max_size: Specifies the maximum file size in kilobytes (e.g., 2000 for 2MB).
• max_width: Specifies the maximum width for images (in pixels).
• max_height: Specifies the maximum height for images (in pixels).
• min_width: Specifies the minimum width for images (in pixels).
• min_height: Specifies the minimum height for images (in pixels).
• square: Ensures the image is square (width equals height).

Example Validation Rules

Here’s an example of how to define validation rules for an image upload:

In this example:

• The file must be one of the following types: gif, jpg, jpeg, or png.
• The file size must not exceed 2000 KB (2MB).
• The image width and height must not exceed 1200 pixels.

Security Checks

Trongate includes built-in security checks to ensure that uploaded files do not contain malicious content, such as PHP code or other dangerous patterns. These checks are automatically performed when using the upload_picture() method.

Handling Validation Errors

If a file fails validation, Trongate will automatically add an error message to the form_submission_errors array. You can display these errors in your view using the validation_errors() helper function.

Summary of Validation Tests

Below is a table summarizing all the available validation tests for file uploads, sorted alphabetically:

Built-in Security Features

Trongate provides a comprehensive suite of security features designed to ensure that file uploads are handled safely and efficiently.

File Validation

Trongate's Validation class offers extensive control over allowed file types and characteristics. For example:

Trongate implements several security measures during file validation, including:

• MIME type verification using PHP's finfo_file()
• Automatic path traversal protection to prevent directory manipulation
• Built-in protection against upload-based PHP code execution
• Automatic file extension normalization and validation
• Content scanning to detect potential security threats in the file

File Upload Settings

Settings pertaining to upload behavior can be declared inside modules. The framework includes several built-in protections, such as:

• Automatic validation of upload destinations for proper permissions and security
• Prevention of uploads to restricted system directories
• Memory usage monitoring for safe image processing
• Secure file naming system that prevents naming conflicts

Example settings configuration:

Framework Philosophy

Trongate's approach to file uploading is designed to provide essential security features out of the box while allowing flexibility for additional measures. The framework emphasizes:

• Robust security features to protect against common vulnerabilities
• Efficient and maintainable core implementation
• Flexibility to extend and customize security measures as needed

Example Implementation

Here's a typical implementation:

Making Security Decisions

When evaluating if you need additional security measures, consider:

• Who can upload files?
• What types of files are allowed?
• How sensitive is your application?
• What are the consequences of a malicious upload?

Based on these answers, you can determine if Trongate's built-in features are sufficient or if you need additional security measures.

There's actually not much to say here! It's very easy. Suppose you want to take a module from 'site A' and add it onto 'site B'. In that kind of situation all you have to do is copy and paste. That's it.

Here's a video demonstration:

Authorization and authentication are foundational pillars of secure web development, ensuring that users can access the resources they need while protecting sensitive data from unauthorized access. While these terms are often used interchangeably, they serve distinct purposes:

What is Authentication?

Authentication is the process of verifying the identity of a user. It answers the question: "Who are you?" In most applications, this involves a user providing credentials, such as a username and password, to prove their identity. Once authenticated, the system recognizes the user and grants them access to protected areas or resources.

What is Authorization?

Authorization, on the other hand, determines what an authenticated user is allowed to do. It answers the question: "What are you permitted to access or perform?" For example, a regular user might be able to view their profile, while an administrator might have the authority to manage user accounts or modify system settings.

Trongate's Approach to Authorization & Authentication

Trongate provides a robust and flexible system for handling both authentication and authorization through its built-in modules. At the heart of this system lies the concept of tokens, which are unique strings representing a user's authenticated session. These tokens are generated upon successful login and stored securely, either in the session, a cookie, or passed via HTTP headers. The token system is designed to work seamlessly with a variety of database tables, enabling developers to define and enforce granular access control.

Key Components of Trongate's Token System

Trongate's token-based security system revolves around three primary database tables, each playing a critical role in managing user access:

• trongate_user_levels: Defines various user levels within the application, such as 'admin' or 'member'. These levels determine the scope of a user's permissions.
• trongate_users: Stores user credentials and associates each user with a specific user level. This table acts as the bridge between users and their roles.
• trongate_tokens: Manages the generation, storage, and validation of authentication tokens. Tokens are time-limited and automatically purged when expired, ensuring a high level of security.

In addition to these core tables, Trongate integrates with other modules to provide a comprehensive security framework. For instance, the Trongate Security module enforces access control based on predefined scenarios, while the Trongate Tokens module handles token generation and validation. Together, these components ensure that only authorized users can access specific parts of the application.

Understanding Scenarios

A scenario in Trongate refers to a specific context or condition under which access control is enforced. For example, accessing the admin panel might require a different level of authorization compared to viewing a members-only page. Scenarios allow developers to define granular rules for different parts of the application, ensuring that users are granted access only to the resources they are permitted to use. By leveraging scenarios, Trongate provides a flexible and modular approach to authorization, making it easy to adapt to the unique needs of your application.

How Trongate's Token System Works

Trongate's token system operates in a database-driven manner, requiring a connection to a MySQL database for full functionality. When a user successfully logs in, a token is generated and stored in the trongate_tokens table. This token is then used to authenticate the user across subsequent requests, whether submitted via HTTP headers, cookies, or sessions. The system validates the token against the database, checking its expiration date and associated user level to determine whether access should be granted.

One of the key strengths of Trongate's token system is its flexibility. Developers can define which events trigger token generation—such as completing a registration form, subscribing to a service, or clicking a confirmation link. Additionally, the system is designed to be future-proof, allowing integration with various authentication mechanisms beyond traditional username/password methods. Whether you're building a web application, a mobile app, or an API-driven service, Trongate's token system provides a secure and scalable foundation for managing user access.

In the following sections, we will delve deeper into the mechanics of Trongate's token system, exploring how these components interact and how you can leverage them to build secure, user-friendly applications.

Core Components of Trongate’s Token System

At the heart of Trongate’s authorization and authentication framework lies a trio of database tables that work together to manage user access securely. These tables form the backbone of the token system, enabling granular control over user roles, permissions, and session management.

trongate_user_levels

This table defines the various user levels (e.g., admin, member) within the application. Each user level corresponds to a specific set of permissions, determining what actions a user can perform. For example:

By defining user levels here, developers can enforce role-based access control across the application.

trongate_users

The trongate_users table serves as a bridge between users and their roles. It links each user to a specific user level via the user_level_id field. Additionally, it generates a unique code for each user, which can be used for secure identification. For instance:

This table ensures that every user is associated with a role, enabling seamless integration with the token system.

trongate_tokens

The trongate_tokens table manages the generation, storage, and validation of authentication tokens. Each token is tied to a specific user (user_id) and has an expiration date (expiry_date). For example:

Tokens are automatically purged from the database once they expire, ensuring a high level of security.

To visualize how these tables interact, refer to the following table joins screenshot, which illustrates the relationships between trongate_tokens, trongate_users, and trongate_user_levels.

How Tokens Enable Secure Access

Tokens play a pivotal role in Trongate’s security framework by acting as proof of authentication. Once a user successfully logs in, a token is generated and stored securely—either in the session, a cookie, or passed via HTTP headers. This token is then used to authenticate the user during subsequent requests.

For example, when a user submits a request to access a protected endpoint, Trongate validates the token by checking its expiration date and ensuring it matches a valid user. If the token is valid, access is granted; otherwise, the request is denied.

Token Lifecycle Overview

While upcoming pages will delve deeper into the specifics of token generation, validation, and cleanup, here’s a high-level overview of the token lifecycle:

• Generation: Tokens are created upon specific events, such as successful login or account creation. Developers can customize parameters like expiry_date and whether the token should be stored in a cookie.
• Storage: Tokens can be stored in multiple locations, including:
  • Session: Ideal for server-side applications.
  • Cookies: Useful for client-side persistence.
  • HTTP Headers: Commonly used for API-based interactions.
• Validation: Trongate validates tokens by querying the trongate_tokens table, ensuring the token is active and associated with a valid user.
• Expiration and Cleanup: Tokens have a default lifespan of one day (86,400 seconds). Expired tokens are automatically purged from the database to maintain system integrity.

In Summary

• Token generation in Trongate is handled by the Trongate Tokens module.
• Every token is assigned to a user_id.
• The user_id property refers to the trongate_users table.

In addition, tokens can be stored in multiple locations, including:

• Session variables: Ideal for server-side applications.
• Cookies: Useful for client-side persistence.
• HTTP Headers: Commonly used for API-based interactions.

When generating tokens, you have the option to:

1. Manually set an expiration date and time.
2. Allow the token lifespan to default to the $default_token_lifespan.

Video Tutorial

Here's a video tutorial, walking you through how to build a private area using Trongate's token system.

Overview of Token Validation

The Trongate framework provides a robust mechanism for fetching and validating user tokens, which is crucial for implementing secure authentication and authorization in your applications.

Token validation is primarily handled by the Trongate Tokens module, specifically through the _attempt_get_valid_token() method. This method validates tokens based on their existence in the database, their expiration status, and—most importantly—their association with specific user levels.

The Mechanics of Token Retrieval

When an end user is allocated a 'Trongate token', the relevant details about the token are stored in the trongate_tokens database table. Upon subsequent visits to the application, the _attempt_get_valid_token() method can be used to retrieve and validate user tokens.

This method is versatile and adapts to various authentication scenarios by searching for tokens in multiple locations and applying optional user-level filters.

Method Signature

Parameters

Return Value

The method returns either a string (the valid token) or a boolean false if no valid token is found.

Token Retrieval Process

The _attempt_get_valid_token() method searches for tokens in the following locations, in order of priority:

1. HTTP headers ($_SERVER['HTTP_TRONGATETOKEN'])
2. Cookies ($_COOKIE['trongatetoken'])
3. Session ($_SESSION['trongatetoken'])

If a token is found in any of these locations, it is validated against the database to ensure it has not expired and matches the specified user-level criteria (if provided).

How Validation Works

The validation process involves the following steps:

1. Token Collection: The method collects tokens from HTTP headers, cookies, and session variables.
2. Database Query: Each token is queried against the trongate_tokens table to verify its existence and expiration status.
3. User-Level Filtering: If user-level filtering is applied, the method ensures the token corresponds to a user with the required permissions.
4. Return Valid Token: If a valid token is found, it is returned; otherwise, the method returns false.

Usage Examples

Example 1: Fetching Any Valid Token

To retrieve a valid token for any user level:

Example 2: Fetching Token for Specific User Level

To fetch a token for users with an 'admin' user level (assuming 'admin' has an ID of 1 in the trongate_user_levels table):

Example 3: Fetching Token for Multiple User Levels

To retrieve a token for users with either 'admin' or 'member' user levels (assuming IDs 1 and 2 respectively):

Validating Tokens Against Custom Conditions

While the _attempt_get_valid_token() method is effective for validating tokens against user levels, some applications may require more granular validation. For example, you might need to ensure that a token corresponds to a specific user ID or other custom criteria. In such cases, you can use the following methods:

Fetching the Trongate User ID

To validate a token against a specific user ID, use the _get_user_id() method. This method retrieves the Trongate User ID associated with a token:

If you have a specific token to validate, you can pass it as an argument:

Fetching the Trongate User Object

For more detailed user information, use the _get_user_obj() method. This method returns an object containing the user's data, including their user level, token, and expiration date:

Fetching the User Level

To validate a token against a specific user level, use the _get_user_level() method. This method retrieves the user level associated with a token:

Security Considerations

When validating tokens, keep the following security considerations in mind:

• Token Expiry: Ensure that tokens have a reasonable lifespan to minimize the risk of unauthorized access.
• Secure Storage: Use HTTPS to protect tokens transmitted via HTTP headers or cookies.
• Granular Validation: For sensitive operations, combine token validation with additional checks, such as verifying the user ID or role.

In Summary

The _attempt_get_valid_token() method is a powerful tool for retrieving and validating user tokens in Trongate applications. While it excels at validating tokens against user levels, additional methods like _get_user_id() , _get_user_obj() , and _get_user_level() allow for more granular validation when needed. By leveraging these tools effectively, developers can implement secure and flexible authentication and authorization workflows.

Overview

When interacting with Trongate API endpoints, it is essential to include the Trongate token in the HTTP request headers for authentication. This ensures that the server can validate the user's identity and authorize access to protected resources. Below are demonstrations of how to attach a Trongate token to HTTP requests using JavaScript, specifically with XMLHttpRequest and the modern Fetch API.

Using XMLHttpRequest

The XMLHttpRequest object provides a traditional way to send HTTP requests in JavaScript. Below is an example of how to attach a Trongate token to the request headers using this approach:

Explanation

• targetUrl: Replace this with the actual URL of the Trongate API endpoint you wish to interact with.
• token: Replace this placeholder with the actual Trongate token generated for the user.
• setRequestHeader: The trongateToken header is explicitly set to include the token for authentication.
• onload: This event handler processes the server's response once the request is complete.

Using Fetch API

The Fetch API offers a more modern and promise-based approach to making HTTP requests. Below is an example of how to attach a Trongate token to the request headers using the Fetch API:

Explanation

• targetUrl: Replace this with the actual URL of the Trongate API endpoint you wish to interact with.
• token: Replace this placeholder with the actual Trongate token generated for the user.
• headers: The trongateToken header is included in the request to authenticate the user.
• Promises: The Fetch API uses promises to handle asynchronous operations, making it easier to manage responses and errors.

Fetching Tokens from HTTP Headers Using Pure PHP

In server-side PHP code, tokens sent via HTTP headers can be accessed directly using the $_SERVER superglobal. For example:

In the code sample above, a $token variable is assigned the value of a 'Trongate token' passed via an HTTP request header. If no such header is found, the $token variable will be assigned a boolean value of false.

Security Considerations

When attaching tokens to HTTP headers, keep the following security considerations in mind:

• HTTPS: Always transmit tokens over HTTPS to encrypt the data and prevent interception by malicious actors.
• Token Storage: Store tokens securely on the client side. For web applications, consider using secure cookies or session storage to minimize exposure.
• Token Expiry: Ensure that tokens have a reasonable lifespan and implement mechanisms to refresh or regenerate them as needed.
• Error Handling: Implement robust error handling to detect and respond to failed authentication attempts or expired tokens.

In certain scenarios, such as when a user logs out of a private members' area, it may be necessary to delete a token from the user's device and from your application's database. This can be accomplished by invoking the _destroy() method from the Trongate Tokens module. This method does not require any arguments.

How It Works

The _destroy() method systematically removes tokens from the following possible storage locations:

• Session Data: If a token is stored in the session, it will be cleared.
• Cookies: If a token is stored as a cookie, it will be deleted from the user's browser.
• Database Records: Any corresponding records in the trongate_tokens table will be removed.

This ensures that the token is completely invalidated and cannot be reused for authentication or authorization purposes.

Example Usage

Below is an example of how to invoke the _destroy() method:

Explanation

• Line 1: Loads the trongate_tokens module, making its methods available for use.
• Line 2: Invokes the _destroy() method to clear tokens from the session, cookies, and database.

Security Implications

Properly destroying tokens is a critical aspect of maintaining application security. By invoking the _destroy() method during logout or other relevant events, you ensure that:

• Session Termination: The user's session is terminated, preventing unauthorized access to protected resources.
• Token Cleanup: Tokens are removed from both the client side (session or cookies) and the server side (database), minimizing the risk of token reuse or hijacking.

Additional Considerations

While the _destroy() method handles token cleanup comprehensively, developers should also consider the following best practices:

• Logout Confirmation: Provide users with feedback (e.g., a success message) after invoking the _destroy() method to confirm that they have been logged out.
• Redirect After Logout: Redirect users to a public page (e.g., the login screen or homepage) after destroying their tokens to prevent accidental re-access to restricted areas.
• Token Expiry: Ensure that tokens have a reasonable lifespan and implement mechanisms to automatically expire and clean up unused tokens from the database.

The Trongate Security module is an essential part of the Trongate framework, included with every installation to help manage authentication, authorization, and other security-related concerns. It provides a centralized hub for handling security tasks, ensuring that only authorized users can access restricted areas and resources within an application. By utilizing the Trongate Security module, developers can implement robust security measures with ease, enhancing overall application security.

Exploring the Code

The main PHP class for the Trongate Security module is somewhat unusual because it only has one method. Here's the code for the entire Trongate_security class (Trongate_security.php):

The _make_sure_allowed() method accepts two possible arguments:

1. A required $scenario (string) argument
2. An optional $params (array) argument

The _make_sure_allowed() method contains a PHP switch statement. Each item within the switch statement represents a different web application scenario, and the class is provided with the expectation that users will add their own scenarios to the switch statement as their application grows.

Understanding Scenarios

An important concept for those working with the Trongate Security module is scenarios.

A scenario, in the context of Trongate Security, refers to a general situation or context where usage of the module may be desirable to enforce access control. Scenarios are not tied directly to specific user levels but rather represent broader access contexts that may involve multiple user levels. Below is an assortment of possible scenarios that could be relevant for a web application:

• Admin Panel: A restricted area for administrators to manage application settings.
• Discussion Forum: A space where users of various levels (e.g., moderators, members, guests) can interact.
• Private Members Area: A section of the application accessible only to registered members.
• Customer Account Page: A personalized dashboard for customers to view their orders, update their profiles, submit technical support requests, etc.

Scenarios allow developers to define access rules that apply to specific parts of the application, irrespective of the user levels involved. For instance, a discussion forum might be accessible to multiple user levels, such as moderators, members, and even guests, depending on the application's requirements. The scenario itself exists independently of user levels, serving as a general context for access control.

Basic Example: Enforcing Access Control

To enforce access control using the Trongate Security module, you can utilize the _make_sure_allowed() method from any other module. This method ensures that the user has the necessary permissions for a given scenario before proceeding.

Example: Restricting Access to an Admin Panel

The code below demonstrates how to restrict access to an admin panel by ensuring that only users with an "admin" user level can view it.

Explanation

• Line 5: Loads the trongate_security module, making its methods available for use.
$this->module('trongate_security');
• Line 6: Invokes the _make_sure_allowed() method with the scenario name 'admin panel'. This ensures that only users with the appropriate permissions can proceed.
$token = $this->trongate_security->_make_sure_allowed('admin panel');
• Lines 9-11: If the user is allowed, the admin panel view is loaded.
// If the user is allowed, load the admin panel view. $data['view_module'] = 'admin_panel'; $data['view_file'] = 'manage'; $this->load_template($data);

How the Trongate Administrators Module Interacts with Other Modules

To better understand how the Trongate Security module integrates with other modules, let's delve into the mechanics of the following two lines of code (taken from Trongate_security.php):

Purpose of These Lines

These two lines of code delegate the mechanics of access control to another module - in this case, the 'Trongate Administrators' module.

Sure enough, within the 'Trongate Administrators' module, there is a method that is also named _make_sure_allowed(). That method makes sure the user is logged in as an administrator by invoking the 'Trongate Tokens' module. If a valid token is found, it is returned. Otherwise, the user is redirected to a login page.

Advanced Example: Granular Access Control in a Discussion Forum

Let's consider a scenario where we have a discussion forum module that allows users to create, edit, and delete comments. However, we want to restrict the editing and deletion of comments to either the user who created the comment or users with administrative privileges.

To achieve this, we can utilize the $params argument in the _make_sure_allowed() method to pass additional data, such as the record_id of the comment being modified and the specific action being performed.

Example: Restricting Comment Editing and Deletion

In this example, we'll assume we have a Forums class with a write_record() method that handles the updating or deletion of comments.

Explanation

• Line 5: The write_record() method takes an optional $id parameter, representing the ID of the comment being edited or deleted.
• Line 7: We create a $params array containing the record_id key-value pair, where the value is the $id of the comment, and an action key-value pair specifying the action being performed (in this case, 'write record').
• Line 8: We load the trongate_security module to access its methods.
• Line 9: We invoke the _make_sure_allowed() method, passing the scenario as 'discussion forum' and the $params array containing the record_id and action.
• Lines 11-12: If the user is allowed to edit or delete the comment based on the scenario, record_id, and action, the method proceeds with the update or deletion logic.

Implementing a solution like this would require adding an additional case to the switch statement within the 'Trongate_security' class.

By leveraging the $params argument and including the action property, we can enforce even more granular access control rules within the discussion forum module. This allows us to handle different actions, such as editing or deleting comments, with specific permissions based on the user's role or ownership of the comment.

Addressing Circular Dependency Concerns

At first glance, the pattern employed by the Trongate Security module might raise concerns about circular dependencies. For example, it allows for a scenario where 'Module A' invokes 'Module B', and then 'Module B' invokes a method from within 'Module A'. This circular nature of the code flow could potentially lead to confusion and make the codebase harder to understand.

However, it's important to note that using the Trongate Security module is not a strict requirement. Developers have the option to bypass it altogether, for example, by directly calling the _make_sure_allowed() method from the 'Trongate Administrators' module instead. However, while this approach may seem simpler and more straightforward, it comes with its own set of drawbacks.

Beware of Spaghetti Code!

Directly calling the _make_sure_allowed() method from the 'Trongate Administrators' module would result in a codebase that is more rigid and less adaptable to change. As the application evolves and grows, the rules for managing access to various areas, such as the admin panel, may need to be modified or expanded. Having security-related code scattered throughout different modules - with no common point of entry - can result in a codebase that is challenging to maintain and extremely difficult to upgrade.

The Benefits Of The Trongate Security Module

By channeling security-related functionality through the Trongate Security module, developers gain a centralized hub for handling all security matters. This centralization promotes code reusability, maintainability, and scalability. It allows for a more flexible and modular approach to managing access control across the entire application.

While the Trongate Security module's approach may introduce some level of indirection and potential for circular dependencies, the benefits it provides in terms of code organization and maintainability outweigh the concerns. By consolidating security-related code into a dedicated module, developers can ensure that access control is handled consistently and can easily adapt to changing requirements.

With Trongate's API Explorer, it's easy to create secure, custom API endpoints in record time.

The YouTube tutorial below provides guidance on how to create your own custom API endpoints using the API Explorer.

Before moving forward, let's clarify some important terminology.

Endpoint

The word 'endpoint' means a URL (i.e., a website address) that has been designed to accept and process HTTP requests. Strictly speaking, an endpoint could be URL that loads up a webpage - perhaps with pictures, JavaScript and HTML. Or, an endpoint could simply return text-based data - perhaps in the form of XML, JSON or comma separated values (CSV format).

HTTP

HTTP stands for Hypertext Transfer Protocol and is the dominant method of communication by which information is sent across the internet.

HTTP Request

An 'HTTP request' is a packet of data that has been transmitted to an endpoint. Different types of HTTP request include (but are not limited to):

• GET
• POST
• PUT
• DELETE

HTTP Response

An 'HTTP response' is a server's response to an inbound HTTP request. Typically, a server's response will contain (but not be limited to) two key parameters.

• an HTTP response status code - check this webpage for details.
• an HTTP response body - which is a body of text that can be read by a browser and translated into entities like; HTML pages, JSON objects, XML documents and more.

In-Built API Endpoint

An in-built API endpoint is the phrase we'll be using, in the Trongate documentation, to refer to an endpoint that comes shipped with all installations of the Trongate framework. In other words, it's an assortment of endpoints that have already been coded into the framework and you can start using them immediately. Trongate's in-built endpoints assist with executing common database related tasks such as create, read, update and delete.

Custom API Endpoint

A custom API endpoint is a bespoke endpoint that has been custom built - by a developer - to serve a particular purpose. Custom endpoints are, by definition, not included with the Trongate framework.

When you are creating your API settings file, there are a range of optional parameters that you can declare for each of your endpoints. The optional parameters are as follows:

Required Fields

• required_fields: This will be an array of key value pairs, with each pair representing the name and the label for a required field. The code below declares an endpoint that has 'id' as a required field:

Before Hook

• beforeHook: The beforeHook parameter can be used to declare a method that should intercept the inbound HTTP request before allowing the request to reach the main endpoint method. Below is an example of an endpoint that has a beforeHook property of '_prep_password'. This endpoint will intercept the inbound HTTP request and run it through a method, on the loaded module, named _prep_password().

After Hook

• afterHook: The afterHook parameter can be used to declare a method that should receive the outbound server response before the response has been served to the end user. Below is an example of an endpoint that has an afterHook property of '_prep_date'. This endpoint will intercept the outbound HTTP response and run it through a method, on the loaded module, named _prep_date(). Our visualisation here would be a scenario where a date/time fetched from a database, such as a Unix timestamp, is to be formatted before being presented to the end user.

Before hooks and after hooks are important. Let's explore them in a little more detail!

The goal of an after hook is to intercept an outbound HTTP response and then do something with it before the server issues a response to the end user.

An after hook can be added onto an API endpoint by adding the 'afterHook' property onto an endpoint's settings. Below is an example of an after hook called '_prep_date' being declared for a 'Get' endpoint. This setting (which would be stored on an api.json file) would invoke a protected method named _prep_date() whenever the server is about to issue a response, after having invoked the 'Get' endpoint.

The Outbound Response Array

All the information that gets passed into an after hook comes in the form of an array. We can call this array the 'outbound response array'.

The general structure of an after hook will facilitate taking in an outbound response array, doing something with it, then potentially returning the array. If we represent our outbound response array with the variable $output, then our after hook methods can take the following form:

Diving Deeper

By using PHP's built-in var_dump() method, in combination with a die statement, it's possible to explore the contents of an outbound response array.

This will reveal the following three parameters:

• token - If a Trongate security token was passed into the header of the inbound HTTP request, then the value of the security token will be assigned to the 'token' property of the outbound response array. Therefore, to access the token, we could say:

• body - The body is a string of text that is to be issued by the server. Often, though not always, the body can be JSON decoded into an array of key-value pairs. So, if 'id' with a value of '4' was being issued by the server, we could access the id with:

• code - Finally, our outbound response array will contain a 'code' parameter. The code parameter will be a numeric value representing the HTTP response status code from the server. To display the HTTP response server code, using PHP, we could say:

Modifying The Outbound Response Array

Having access to the outbound HTTP response array means that we have the ability to manipulate the response before it gets served to the end user.

There are lots of situations where this might be useful. One example would be to format dates.

EXAMPLE

Let's imagine that you have an API endpoint that queries a database table and returns information about a record that's stored in the database table.

This could be something like a members table, and it's possible that the response body could take the form of a string of text that could be converted into a JSON object with the following properties:

As you can see, 'date_joined' is an integer that's ten digits in length. When we see this kind of value in PHP, we can be fairly confident that we're being issued with a Unix timestamp. However, before sending the response to the end user, we may wish to use an after hook to intercept the response and format the date so that it's presented in a more user-friendly and readable manner.

Below is an example of an after hook that could modify a response body so that 'date_joined' is nicely formatted.

The code above would modify the HTTP response body, giving us:

The default admin login URL for Trongate websites is made up of a base URL followed by trongate_administrators/login. However, a base URL followed by tg-admin will also work. This shorter URL is made possible by the custom_routing.php file, which is inside the config directory.

If somebody tried to hack into your admin panel then you can be sure that they would focus on entry points such as your default admin login and the URL for receiving post requests from your admin login. Of course, if a malicious user knows your login URL for your admin panel then it does not mean that they have successfully hacked your site. It merely means that they have a good starting point to carry out their diabolical deeds.

With this in mind, it's a good practice to make your login URL secret and - hopefully - impossible to guess. Doing this is would make life much more difficult for a would-be hacker.

How To Create A Secret Admin Login URL

STEP 1: Think of a word that is difficult to guess but meaningful and easy to remember for the site owner.

This could be an entirely made-up word or a word that's made of a combination of two words. Avoid spaces or any unusual characters. For the moment, let's assume that our secret word is going to be fantasticola. This means that to log into our site admin panel, the URL should be:

The base URL, followed by 'fantasticola', e.g., example.com/fantasticola

STEP 2: Modify custom_routing.php

The next step is to modify your custom_routing.php file, which is inside your config directory. Simply replace all instances of 'tg-admin' with 'fantasticola' (or whatever your secret world may be).

For example, here's some sample code from custom_routing.php:

The code above would be changed to:

Step 3: Modify and uncomment the secret login declaration on 'Trongate_administrators.php'

Finally, open up Trongate_administrators.php. If you are using version 1.3.3031 or higher then around line 5 could should see the following code:

Uncomment this line and change the secret login segment to your chosen word. For example:

That's it!

If you have followed these instructions and you are using Trongate version 1.3.3031 or higher then the trongate_administrators/login page will produce a 404 error. In order to access your admin login URL, users would have to go to your base URL followed by your secret word.

Here's a little checklist that you can run through before launching your next big Trongate web app.

Check 1

When you launch your web app, make sure your main config file (config.php) does not have 'ENV' set to 'dev'. The recommendation is to change the ENV setting to 'live' or 'production' or any word that is not 'DEV' or 'dev'.

Check 2

Change the password to your admin panels to something that is difficult or impossible to guess.

Check 3

Improve your site security by hiding your main admin login URL.

Check 4

Make sure your BASE_URL is set to the full base URL that corresponds with your live website homepage. For example, 'https://trongate.io/'.

Check 5

Make sure your database.php file contains database settings that relate to your live database and not your localhost.

Check 6

Make sure your site_owner.php file contains values that relate to the person or organisation who own the site.

Check 7

Don't forget to set up at least one live email account and run some two-way tests to make sure you're able to send and receive emails. The mechanics of setting up email accounts is beyond the scope of this documentation. However, it's always a good idea to talk to your web hosts and see if they have any recommendations that might prove to be helpful.

Check 8

And finally... when you're testing a live website for the first time, it's a very good idea to use a different computer from the one that you built on. If that's not possible then switch off the PHP engine on your localhost. One of the most common mistakes developers make when they launch is they leave 'localhost' paths in their code. Switching off localhost makes those kinds of mistakes very easy to spot.

BONUS CHECK

Most of the people who visit your website will probably be using mobile devices. So, be sure to test your site on a mobile device such as a smartphone.