JREAM - your use of defines makes me cringe, especially given that you put many security values in them:
Uhg… Learning from Wordpress’ example I see.
ON topic - MVC is something I’ve practiced in most of my code since before I started writing PHP. In PHP with all the possible avenues of attack thanks to it being a on-the-fly interpreted language, MVC makes perfect sense and IMHO is how all code SHOULD be written.
Though I prever to put the C FIRST, because the controller is what should be called FIRST! It goes hand in hand with my routing ALL requests through the root index.php - my controller. Also makes doing friendly URL’s a hell of a lot easier later on since you can just redirect all calls to non-static files to index.php and explode $_SERVER[‘REQUEST_URI’]…
You have to think about the controllers job - it’s traffic cop, an air traffic controller. It should decode the user request, load the appropriate models to process the data, and then handle the transfer of said data or responses for the requests to the view - in that order.
That separation of tasks is also a perfect opportunity to harden the system by not using globals for everything. Even my index.php has everything wrapped in functions, a dummy wrapper for require_once that breaks scope of locals so values HAVE to be passed via the function handler (I usually do so by reference so memory use is kept under control) - even the database connection if you use PDO can be restricted in scope to local.
SCOPE is very important if thinking security, especially in a scripted language… One of the whole reasons to use MVC is to keep you data processing isolated from the template. There is no reason for your View/Template to EVER need database access - so why would you pass the values to said functions or make them global in scope? Is it any wonder that EVAL and user uploads are such a risk?
That’s security programming 101 - never put security related info into globals or defines. It’s also the number one mistake even many seasoned developers seem to make as if they’ve never even heard of the concept.
In a lot of ways that is why I find many object based MVC’s to in fact miss the point of using MVC in the first place, as they ‘round robin’ back and forth between the template and the data, - instead of just processing ALL the data, then showing all the data… and worse they store everything in the object in a manner at which it might as well all be globals in the first place! I’ve seen people claiming their code was MVC where the template (view) was even calling their object based data handlers directly. “Oh, but it’s in an object so it’s separate”
COMPLETELY MISSING THE POINT. Calling the data handler is the CONTROLLERS job, not the VIEW’S… I would allow that the other direction, the MODEL calling the VIEW, but I really prefer a FULL separation of the two as neither should have access directly to each-others functionality or values. That’s not just a security thing, that defeats the point of having them “separate” in the first place!
It also doesn’t help to load EVERY model as a single file on every call… That’s loading tons of code that probably isn’t even going to be executed… While that’s not really an issue in a compiled language, PHP is interpreted and every piece of code has to go through the bytecode compiler, and consumes memory if run or not. This is more data to shove in/out of the cache on each request run or not, and in general why I dislike objects in interpreted languages with rare exceptions.
… and MVC does NOT need objects to work. Quite the contrary if you have at run-time includes available… Though yes, objects ARE nice to restrict scope, but if the class is globally available anyways, what’s the difference between locals in a function and those in a object?
Though I suppose my approach if you flowcharted it would be C > M > C > V. Controller processes the request, handles any security, calls the appropriate model which returns the output/data to the controller. It’s then the controllers job to call the view/template. It does end up a bit more memory hungry than letting the Model call the View directly, but it generally runs faster since you can concentrate on each task instead of switching gears mid-processing from retrieving data to outputting data.
Besides, RAM is cheap these days. When I can get a dedicated dual core atom 330 server with 2 gigs of RAM for $60/mo, I’m not sweating a little extra RAM overhead if it means less CPU overhead and more consistent disk access patterns.
In a lot of ways it’s like practicing separation of content from presentation in your HTML and CSS. Your template or the code behind the template has no business going to the database, and your database access has no business outputting results. Each has their own job, let them do it.
I do kind-of break the controllers separation by letting it handle sessions, user logins and database connections - but I feel that’s more true to the intent since the controller can then determine does the user have the rights to access the model - what models should even be ALLOWED access to the database, the data structure used to pass information, what PARTS of the data structure, etc, etc.
In any case, it really is a better way of coding making everything simpler - from easy reskinning (to the point you can even let people use PHP in their skins with ZERO worries of them screwing up the data, so screw the overhead of ‘templating systems’ like smarty), to not having to wade through output to debug a data handling issue, to having your code end up more secure ‘by default’.