Pádraic Brady has a new article on his site talking about the secure distribution of phars (PHP archive files) including some of the common pitfalls and potential solutions.

The PHAR ecosystem has become a separate distribution mechanism for PHP code, distinct from what we usually consider PHP packages via PEAR and Composer. However, they still suffer from all of the same problems, namely the persisting whiff of security weaknesses in how their distribution is designed. [...] [Several security-related issues introduce an element of risk that the code you receive is not actually the code the author intended to distribute, i.e. it may decide to go do some crazy things that spell bad news when executed.

He shares some of the steps he's taken to secure his own phar for a CLI application with things like:

• Distribute the PHAR over HTTPS
• Enforce TLS verification
• Sign your PHAR with a private key
• Avoid PHAR Installer scripts
• Manage Self-Updates securely

He finishes the post with one of the most important parts of the article - a reminder to do all of the things on the list above consistently.

This is not an outrageous outcome to introducing proper security on PHAR downloads. Go forth and do it for all PHARs. Help create an environment where distributing and installing code in secure ways is the normal expected thing to do.

In this new post Mike Bronner shows you how to get the latest PHP5 and Mcrypt versions installed on OS X Yosemite to make ti easier on developers needing to run commands outside of Homestead.

Laravel Homestead has brought virtual machines for web development to the mainstream PHP developer: it makes setting up a development stack similar to XAMP extremely simple. [...] However, one of the drawbacks so far has been that you always needed to run Laravel Artisan commands from within homestead, as they depending on MCrypt being installed. [...] The accepted solution thus far has been to install newer versions of PHP alongside Apple's version using Homebrew or MacPorts. [...] However, there's another method I came across while research some non-related issues: install the latest version of PHP from a binary that includes the MCrypt extension.

He walks you through the complete process (well, except for getting Homestead - that needs to already be there) complete with each command you'll need. You'll need to be familiar with the command line to make this all happen and know how to edit configuration files. If all goes well, the "artisan" command will work correctly and no errors will happen during the compile. He also includes a fix you'll need to put in to get the database configuration working from outside Homestead too.

Evert Pot has written up a new post today with some of his thoughts about what's wrong with the PSR-7 proposal in the PHP-FIG. PSR-7 relates to a standardized interface for HTTP request and response handling.

PSR-7 is pretty close to completion. PSR-7 is a new 'PHP standard recommendation', put out by the PHP-FIG group, of which I'm a member of. [...] PSR-7 gets a lot of things right, and is very close to nailing the abstract data model behind HTTP, better than many other implementations in many programming languages.

But it's not perfect. I've been pretty vocal about a few issues I have with the approach. Most of this has fallen on deaf ears. I accept that I might be a minority in feeling these are problems, but I feel compelled to share my issues here anyway. Perhaps as a last attempt to sollicit change, or maybe just to get it off my chest.

He breaks up his thoughts into a few different categories, each with a summary and sometimes some code to help make his point a bit more clear. He talks about immutability, how objects will be immutable and shows an example of change in how Silex would have to function to follow the standard (with before/after). He then goes on to talk about the "issue with streams" and how the current proposal could allow for changing of the incoming request into a new one with new headers...not immutable. He ends the post talking about PSR-7's stance on buffering responses and how, even if his project doesn't adopt the PSR in the strictest sense, they may still take some inspiration from it.

• Convert PHP Warnings and notices into fatal errors | Rob Allen #phpquickfix, #convert, #warning, #notice, #fatal, #error
  
  
• Zend Certification Study Guide 3rd Edition Published, and a new Book on the way! | Davey Shafik #phpquickfix, #zend, #certification, #guide, #3rdedition, #published
  
  
• Modern Defense Against CSRF Attacks - Resonant Core Blog #phpquickfix, #csrf, #threatmodel, #library, #anticsrf
  
  
• Laravel 5 Generators - Laravel News #phpquickfix, #laravel5, #generator, #package, #migration
  
  
• Watch RFC Votes, live, as an event stream : PHP #phpquickfix, #rfc, #votes, #realtime, #stream
  
  
• Error Handling in PHP - Nomad PHP #phpquickfix, #error, #handling, #nomadphp, #video, #ianlittman
  
  
• Three things we know about Laravel 5.1 - Laravel News #phpquickfix, #laravel5, #jobs, #psr2, #envoy, #ssh
  
  
• Keeping the Code Monkey Fit - Nomad PHP #phpquickfix, #codemonkey, #fitness, #nomadphp, #video
  
  
• Add Laravel 5 module files by janhenkgerritsen · Pull Request #1704 · Codeception/Codeception #phpquickfix, #codeception, #testing, #laravel5, #support
  
  
• Cachet: A status page system built on Laravel - The Changelog #phpquickfix, #cachet, #status, #page, #laravel
  
  

There's an interesting set of posts from PHP community members Adam Culp and Cal Evans each on a similar subject centering around conferences and the presentations made at them. They both wonder if talks are getting too "soft" and not focusing as much on the technology and getting in-depth as they should be. From Cal:

PHP conferences are changing very slowly, and not in a way that I like. I blame myself. As a frequent speaker I am getting lazy. I get caught up in the excitement of the CfP, I write up 5-10 abstracts and shotgun them into the CfP system hoping that something hits the mark. I've not actually written these talks. In most cases, I'm pretty sure I can get 45 minutes on the topic, but I don't know for sure because I've not bothered to write it yet. Adam Culp talks about this very thing in his post "Are Conference Talks Getting Too Soft?".

Adam points out that, while introductory talks and overviews are acceptable level coverage for someone new to the speaking scene (or development), the trend seems to be that everyone is providing less "meat" in their talks.

It is hard to teach a great amount in a 1 hour talk, but if there is not some immediately usable content an attendee will have a tough time proving to their short sighted boss that it was worth their time.

Both Adam and Cal set out a challenge, both to themselves and other speakers in the community. They encourage you to spend more time with your subjects, get in-depth into the topics, present on what you're excited about and maybe even try them out locally first.

Derick Rethans has posted another article about Xdebug and some of the changes made in the most recent release, version 2.3. In his previous post he talked about the improvements to var_dump and in this one he shares updates to the xdebug_debug_zval handling.

xdebug_debug_zval() has been around for quite some time, to provide correct information about how PHP internally stores a variable. Unlike PHP's built in debug_zval_dump() function, it does not modify the variable information that it tries to show. This is because instead of passing in a variable, you pass in its name. Passing a variable into a function, can modify the various parameters that are associated with this variable, such as the is_ref and refcount fields.

He includes a bit of background about what the function is used for and then shows the difference it has in 2.3: the ability to handle nested data structures including property dereference support. He includes a few code examples showing the use of the function and the output it would generate for both an array and an object.

The Voices of the ElePHPant podcast has posted the latest in their series of interviews with PHP community members. In this new episode host Cal Evans talks with Morgan Tocker,

They talk about Morgan's talk at Sunshine PHP 2015 about tuning MySQL queries using some of the built-in tools). He also mentions some of the newer features of the EXPLAIN handling including more information provided and other metadata provided as a part of the output. They also talk about some of the "cost" data associated with different queries and how they effect performance.

You can listen to this latest episode either through the in-page audio player or you can grab the mp3 and listen to it at your leisure. If you enjoy the interview, be sure to subscribe to their feed.

• pecl_http 2.3.1 * Fixed build on platforms that need stddef.h to define ptrdiff_t (e.g. CentOS 7.5)
  
  
• pecl_http 2.3.0 + Preliminiary HTTP2 support for httpClient (libcurl with nghttp2 support) + Improved performance of HTTP info parser (request/response line) + Improved performance of updating client observers + Improved performance of httpEnvResponse output to streams + Improved the error messages of the header parser + Added httpHeaderParser class + Added httpClient::configure() method accepting an array with the following options for libcurl: . maxconnects (int, size of the connection cache) . max_host_connections (int, max number of connections to a single host, libcurl >= 7.30.0) . max_pipeline_length (int, max number of requests in a pipeline, libcurl >= 7.30.0) . max_total_connections (int, max number of simultaneous open connections of this client, libcurl >= 7.30.0) . pipelining (bool, whether to enable HTTP/1.1 pipelining) . chunk_length_penalty_size (int, chunk length threshold for pipelining, libcurl >= 7.30.0) . content_length_penalty_size (int, size threshold for pipelining, libcurl >= 7.30.0) . pipelining_server_bl (array, list of server software names to blacklist for pipelining, libcurl >= 7.30.0) . pipelining_site_bl (array, list of server host names to blacklist for pipelining, libcurl >= 7.30.0) . use_eventloop (bool, whether to use libevent, libcurl+libevent) + Added httpClient::getAvailableOptions() and httpClient::getAvailableConfiguration() methods + Added support for HTTP2 if libcurl was built with nghttp2 support. + Added httpClientCurlHTTP_VERSION_2_0 constant (libcurl >= 7.33.0) + Added httpClientCurlTLS_AUTH_SRP constant (libcurl >= 7.21.4) + Added pinned_publickey SSL request option (libcurl >= 7.39.0) + Added tlsauthtype, tlsauthuser and tlsauthpass SSL request option (libcurl >= 7.21.4) + Added verifystatus (a.k.a OCSP) SSL request option (libcurl >= 7.41.0) + Added proxyheader request option (libcurl >= 7.37.0) + Added unix_socket_path request option (libcurl >= 7.40.0) * Fixed compress request option * Fixed parsing authorities of CONNECT messages * Fixed parsing Content-Range messages * Fixed httpEnvResponse to default to chunked encoding over streams * Fixed superfluous output of Content-Length:0 headers * Fixed persistent easy handles to be only created for persistent multi handles * Fixed the header parser to accept not-yet-complete header lines * Fixed httpMessage::toStream() crash in ZTS mode * Fixed the message stream parser to handle intermediary data bigger than 4k * Fixed the message stream parser to handle single header lines without EOL * Fixed httpMessageBody to not generate stat based etags for temporary streams - Deprecated httpClient::enablePipelining(), use httpClient::configure(["pipelining" => true]) instead - Deprecated httpClient::enableEvents(), use httpClient::configure(["use_eventloop" => true]) instead - Removed the cookies entry from the transfer info, wich was very slow and generated a Netscape formatted list of cookies - Changed the header parser to reject illegal characters Changes from RC1: * Fixed a shutdown crash with chunked encoded stream responses
  
  
• xdebug 2.3.1 Tue, Feb 24, 2015 - xdebug 2.3.1 = Fixed bugs: - Fixed issue #1112: Setting an invalid xdebug.trace_format causes Xdebug to crash - Fixed issue #1113: xdebug.*_trigger do no longer work, due to NULL not being an empty string
  
  

The Voices of the ElePHPant podcast has posted their latest in their series of community interviews this time with Larry Garfield, an advocate and well-known speaker in the PHP and Drupal communities.

They talk about Larry's involvement with Cal's "secret project" (no longer secret): the Wisdom of the ElePHPant book. Larry shares the concept behind his entry based on a quote from Pablo Picasso and when to break the rules. They also talk about Drupal 8 and the current state of the project.

You can listen to this latest episode either through the in-page audio player or by downloading the mp3. If you enjoy the episode, be sure to subscribe to their feed to get the latest.

The SitePoint PHP blog has posted a request for responses to a survey about which PHP framework you consider to be the best for 2015.

Almost a year and a half ago we published the results of a framework survey on the PHP channel. The survey, while producing fewer entries than our IDE survey still provided us with valuable insight into our audience and the state of individual vs. team developers out there.

With Laravel 5 fresh out of the oven, Phalcon being kickstarted into full-time development, and others reaching a much anticipated maturity, it's only natural we're curious about your preferences - have they changed? Do they remain unbudged? Do you wish you could switch so hard you can taste it, but aren't allowed to by your company? We're interested in all these points and much more.

The survey will run for a month and there's some prizes involved for the top "resharers" of the survey. You can submit your own votes directly through the post at the bottom. Questions range from which framework you prefer to which you use at your place of employment and why each was chosen. Submit your answers today and help get a better idea of the PHP framework landscape.