the secure PHP framework

Request flow

All requests to not-existing files are redirected to index.php via URL rewriting, done by the webserver. The first thing this file does is starting PHP's output buffering to prevent error messages from being sent to the browser directly. Then, three libraries are included:

  • libraries/core/error.php, which handles errors and exceptions;
  • libraries/core/banshee.php, which contains general functions for the framework; and
  • libraries/core/security.php, which contains security functions.

Then the core objects database, session, settings, user, page and view, are created. Optionally, the core object language is created. These objects will be available in every controller and model and can be seen as the framework part of Banshee.

When the analytics module has not been removed, the request will be logged. If the currently logged in user has switched to another user via the /admin/switch module, a reminder of this action will be included in the output.

The file holding the model is included if it exists. A Banshee normal model consists of only a class, so no PHP code is executed upon including. Banshee's login model (models/banshee/login.php) is the only exception to that.

If the request is not an AJAX or REST request, information required for the layout and some global content is included. This includes information about the current request and user, language information, the menu and the stylesheet which must be used.

The file holding the controller is included if it exists. The controller creates a model object if its class exists and the controller is executed. If the controller has disabled the output library, the data that has been printed will be sent to the client and execution is terminated.

Any printed error will be collected and transfered to the error library. The output library combines the collected XML data with the right XSLT file and returns the result. This result is send to the client.