Banshee, the secure PHP framework

Request flow

This page describes how Banshee handles a request.

All requests to no existing files are redirected to index.php via URL rewriting, done by the webserver. The first thing this file does is starting output buffering to prevent error messages from being sent to the browser. Then, three libraries are included:

Then the core objects database, session, settings, user, page and view, are created. Optionally, the core object language is created. These objects will be available in every controller and model and can be seen as the framework part of Banshee.

When the logging module has not been removed, the request will be logged. Banshee checks for a Cross-Site Request Forgery attack and clears all GET and POST data if one is detected. If the currently logged in user has switched to another user via the /admin/switch module, a reminder of this action will be included in the output.

The file holding the model is included if it exists. A normal model consists of only a class, so no PHP code is executed upon including.

If the request is not an AJAX or REST request, information required for the layout and some global content is included. This includes information about the current request and user, language information, the menu and the stylesheet which must be used.

The file holding the controller is included if it exists. The controller creates a model object if its class exists and the controller is executed. If the controller has disabled the output library, the data that has been printed will be sent to the client and execution is terminated.

Any printed error will be collected and transfered to the error library. The output library combines the collected XML data with the right XSLT file and returns the result. This result is send to the client.