/blah/show/3 is ok to match a route of /blah/:action/:id, but
/blah/show/3/4 should not match /blah/:action/:id

POST and other destructive actions should already be using $verify
to ensure that the request is using POST, which will bail if a HEAD
request is issued instead.

Works like Rails (2.3) and uses the URL as the path to the cache
file, appending .html unless it looks like there's already an
extension in the url (like .rss)

Add expire_page() to remove cached files by controller, action, and
id

eliminate /../, /./, etc. from full url and path

fix test that was failing because headers_sent() was reporting true,
despite this just coming from phpunit itself.

php's empty() considers a string "0" to be empty, so use our own
test function to work aroud this

don't include form_authenticity_token for GET forms

when passing the pdo init string, pass it as a new
StringMaskedDuringRescue which will pass the proper string through
__toString(), but when it's printed in a rescue message, print its
masked string

in rescue functions, print arguments since they can be useful

just check whether headers have already been sent

make notices print blue by default now, and successes in green

to remove ambiguity over what parts of built forms are escaped and
and which are not, and increase security in everything else that
prints html, run everything supplied by the application through h()
to escape html.

since there may be instances where html should be printed, like in
flash_errors(), introduce a global function raw() that can be used
to protect a string until it hits the helpers, where it will be
recognized as a raw object and not run through h(). most things
that did h() now do raw_or_h().

note that the raw object must continue all the way through to the
helper, so doing

$this->add_flash_error(raw("<b>error:</b> ") . $somevar)

does nothing, because the Raw object will get __toString()'d right
away and get seen as a normal string when it gets to the helper,
which will run h() on it. the entire argument must be the raw
object with your own html protection done on the parts you need it:

$this->add_flash_error(raw("<b>error:</b> " . h($somevar)))

session_get_cookie_params() is only useful before session_start() is
called, for parameters set in config/boot.php.

for per-request modification, that function has no effect, so trying
to change the lifetime in a login controller won't work.

read cookie parameters at session instance creation (which is after
boot.php changed them) and allow each one to be overridden with
\HalfMoon\EncryptedCookieSessionStore::set_lifetime() and similar.

instead of just using the development environment for php-ar, use
what is configured in the db.ini file but set the default to
HALFMOON_ENV's value, so that we will default to development or
whatever we're in, like we did before.

now that php-ar has the full list of db configs, models can use:

static $connection = "blah";

and talk to the connection specified by that config in db.ini rather
than the default. this allows different models to talk to different
databases. verified by loading data from mysql and postgresql
databases at the same time.