Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Evonide.com:
How we broke PHP, hacked Pornhub and earned $20,000
Jul 25, 2016 @ 12:31:48

The PornHub.com site (definitely NSFW) is a high profile site that, as it turns out, uses PHP for a lot of its functionality. In this interesting article from the Evondie Security Research Group they show how they "broke PHP and hacked PornHub (and earned a $20k USD bug bounty in the process). Don't worry, the article itself is "safe for work" as it's only descriptions and code examples of how the hack was performed.

Pornhub’s bug bounty program and its relatively high rewards on Hackerone caught our attention. That’s why we have taken the perspective of an advanced attacker with the full intent to get as deep as possible into the system, focusing on one main goal: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is built upon: PHP.

The post then walks you, step-by-step, through the process they followed to discover the exploit. The main entry point was through PornHub's use of the unserialize function that included a flaw allowing for code execution when a specially crafted object was injected. With the help of this they were able to "leak" out of the PHP execution and inject custom C code to be executed in the local environment. This was, in turn, then used to execute a file_get_contents on the local /etc/password file and return its contents.

tagged: pornhub hack evonide serialize code injection security

Link: https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/

TutsPlus.com:
New Features in Laravel 5.2
Jul 25, 2016 @ 11:14:31

On the TutsPlus.com site they've posted a guide sharing some of the new features that have come with the 5.2 version of the Laravel framework. With v5.3 on the horizon, it's good to get a solid base with 5.2 first.

In this article, I will take a look at the new features of Laravel 5.2 and describe them one by one. The new features are [...]: implicit route model binding, form array validation, API rate-limiting middleware, middleware groups, authentication scaffold and multiple authentication guard drivers

The post then goes through each of these topics providing a bit of explanation of what they're about and how they can be useful. There's also snippets of code included where helpful to show off the feature and provide a more useful example.

tagged: laravel features v52 overview code example description

Link: http://code.tutsplus.com/tutorials/new-features-in-laravel-52--cms-26229

Intracto Blog:
How to save a kitten by writing clean code
Jun 03, 2016 @ 12:52:50

On the Intracto blog there's a new post from Joeri Timmermans talking about writing clean code with some good suggestions you can easily incorporate into your current processes.

So you came here to save a kitten? That's wonderful, but the real reason we're both here is to talk about clean code. In this blog post I'll be sharing some of my personal experiences and tips. But before we dive into the tips and tricks part, let's talk about what we, as developers, do and why we do it.

He touches on several topics including:

  • Best vs Fastest
  • Reading vs Writing
  • File and Folder Organization
  • Naming [conventions and clarity]

He also makes the recommendation to "return often", keep things DRY and makes a few recommendations of PHP-specific tools that can help.

tagged: clean code recommendation process development opinion

Link: http://blog.intracto.com/how-to-save-a-kitten-by-writing-clean-code

QaFoo Blog:
When to Abstract?
May 18, 2016 @ 10:12:18

On the QaFoo blog they've posted an article that shares some of their thoughts on "when to abstract" in your code - essentially finding that point where abstracting out functionality makes sense.

One of the most difficult challenges in a developers life is finding the "right" abstraction, or at least the best one given the current circumstances. The core problem is that abstraction is a bet on the future development of the software and we know that future is volatile. The circumstances will change, so will the view on the best abstraction change.

But there is another dimension which influences this decision: What kind of software are you developing?

They start off by defining three different types of projects (internal, library and adaptable) and move into how this type changes when/how you abstract things in your code. They give a brief summary for each type and when it usually makes sense, including steps to take (concrete first, then abstract).

tagged: abstract code library internal adaptable type opinion concrete

Link: https://qafoo.com/blog/084_when_to_abstract.html

Mathias Verraes:
The Repair/Replace Heuristic for Legacy Software
Apr 28, 2016 @ 11:48:06

Mathias Verraes has shared some thoughts about legacy applications and how development should be handled as new features are added and bugs are fixed. He proposes a "heuristic" to keep in mind as you work in your legacy code: the Repair/Replace Heuristic.

Technical Debt is a great metaphor. It shares many analogous properties with financial debt: loans, accrued interest, token payments, bankruptcy… There is a key difference however. We take financial debt with another party. [...] Technical Debt has no measure like money, and no ruleset like Property law, and, more importantly, with Technical Debt there is no other party. The organisation is both the creditor and debtor. [...] In “Managed Technical Debt”, I propose a cheap, imprecise, but surprisingly effective method for mapping and measuring debt. In short, it involves posting stickies whenever progress is impeded by debt, and keep marking the stickies for every incident.

By following this method, you gather together a better overall picture that makes determining the worst debt in your application easier. He proposes using this to follow the Repair/Replace methods: repairing something if it's well architected or replacing it if it's not.

Even when you’re not trying to decide on Repair/Replace — perhaps the decision was already made by others — the process of mapping its history will teach you more about the system and and its design. And one deep insight you learn from temporal modelling.
tagged: legacy code replace repair heuristic software opinion

Link: http://verraes.net/2016/04/repair-replace-heuristic-for-legacy-software/

PHP Roundtable:
044: Asynchronous PHP
Apr 27, 2016 @ 09:23:05

The PHP Roundtable, with host and PHP community member Sammy K Powers, has posted a new episode featuring a discussion about Asynchronous PHP. In this show Sammy is joined by guests Christopher Pitt, Sara Golemon and Aaron Piotrowski.

Async? Isn't that like AJAX in Javascript or something? Most PHP developers encounter asynchronous code for the first time in Javascript, but not many are aware that PHP can do async too. We discuss asynchronous programming in PHP and how we might be able to implement it in our own projects using various libraries. We also take a look at how async features could be added to PHP core to support async natively.

There's plenty of detail in the show notes for this episode covering all of the topics mentioned and links to some other resources you can use to find out more about asynchronous development in PHP. You can listen/watch this latest episode either through the in-page video player or directly on YouTube. If you enjoy the show, be sure to subscribe to their feed and follow them on Twitter for the latest updates when new shows are released.

tagged: phproundtable podcast ep44 asynchronous code discussion

Link: https://www.phproundtable.com/episode/asynchronous-php

Toptal.com:
Clean Code and The Art of Exception Handling
Apr 13, 2016 @ 09:43:50

While not specific to PHP (the examples are in Ruby, in fact) this new tutorial on the Toptal.com blog has some good information and suggestions around the use of exceptions in your applications.

Exceptions require special treatment, and an unhandled exception may cause unexpected behavior. The results are often spectacular.

Over time, these errors, and countless others [...] contributed to the impression that exceptions are bad. But exceptions are a fundamental element of modern programming; they exist to make our software better. Rather than fearing exceptions, we should embrace them and learn how to benefit from them. In this article, we will discuss how to manage exceptions elegantly, and use them to write clean code that is more maintainable.

They start by talking about why exception handling is a good thing and some common practices to help make them more manageable. They suggest that good exception handling can also help make your code more maintainable, extensible and readable in the long run. He suggests creating your own kind of exception hierarchy (more possible in PHP 7) and using them to get more specific on the type of exception that was thrown. He recommends not "rescuing" exceptions more than needed (in PHP this is try/catch) and that it's okay to defer the handling for the exception being thrown and not deal with it right away.

He also reminds you that not all exceptions need handling in your own code (sometimes it's up to the user) and that following conventions on naming can help end users better understand why there's an error. Finally, he recommends logging exceptions as they're major errors in your application, not just data problems or smaller bugs.

tagged: clean code exception handling bestpractice hierarchy trycatch convention

Link: https://www.toptal.com/qa/clean-code-and-the-art-of-exception-handling

Cal Evans:
Seven Words You Can Never Say on Television…But Can Apparently Say In Code
Apr 01, 2016 @ 11:49:39

In a lighthearted post for this April Fool's Cal Evans has released some interesting research ("research" here is "searching on GitHub") for the statistics behind the use of profanity in code. (As you'd expect, there's profanity in the post, so don't read if you're offended by that).

The late great George Carlin had many awesome comedy skits. One of them – possibly his most famous – is “Seven Words You Can Never Say on Television” from the comedy album “Class Clown”. In it he gives his list of seven words that – at the time – were inappropriate for over the air broadcast in the United States.

I thought it would be fun – if for no other reason than clickbait – to run the 7 dirty words against Github to see who is using what, and where. I took screenshots so that you can see each word and which languages use it the most. I also list PHP’s rating for each word out of the top 10 languages.

While I won't go into the list of actual words in this post, it's interesting to see which languages come out on top for certain words. In most cases PHP came in somewhere in the middle with a few exceptions either way.

tagged: profanity words code results search github ranking

Link: https://blog.calevans.com/2016/04/01/seven-words-you-can-never-say-on-television-but-can-apparently-say-in-code/

Freek Van der Herten:
Converting PHP 7 code to equivalent PHP 5 code
Apr 01, 2016 @ 09:50:56

Freek Van der Herten has a post to his site about another new library he's worked on (along with two others) to help convert PHP 7 code back to PHP 5 code - 7to5.

In the JavaScript world converting modern code to an older syntax is quite common. In the PHP world you don’t see that happen often. Symfony provides a few [polyfills](https://github.com/symfony/polyfill), but a full fledged conversion isn’t available. At the meetup of [our local PHP user group](http://www.meetup.com/phpantwerp/) [Jens Segers](https://twitter.com/jenssegers), [Hannes Van de Vreken](https://twitter.com/hannesvdvreken) and I were toying around with the idea of converting PHP 7 code to equivalent PHP 5 code automatically.

Today our little hobby project called 7to5 was tagged 1.0.0. You can view the repo on GitHub.

He starts by talking about what the library does to backport the code from PHP 7 to PHP 5 and how to install/use the command line tool. He then gets into things "behind the curtains" with a sample PHP 7 class and the resulting PHP 5 code. They made use of the PHP Parser tool for processing the PHP code provided. It does matching on certain element types and performs the token replacement. He gives examples of this with the null coalesce operator replacement and scalar type hinting.

tagged: convert php7 php5 code tool 7to5 introduction library

Link: https://murze.be/2016/03/converting-php-7-code-equivalent-php-5-code/

Juozas Kaziukenas:
From PHP to Machine Code
Mar 28, 2016 @ 09:41:29

In his latest post Juozas Kaziukenas shares a video of his "From PHP to Machine Code" talk he presented at the PHP UK Conference earlier this year (2016).

I recently gave a talk at a few conferences titled “From PHP to Machine Code”. It explains how compilers and interpreters work in general, where are the performance gains to be found and how I applied all of that to build PyHP. PyHP is a little toy project which showcases the basics of taking source code of a programming language and executing it.

As I mention a few times in the talk, it is completely and utterly useless for practical use, but it’s one of the fundamental skill-sets for any programmer. I think knowing how a bunch of text makes a computer do things at the low level is required knowledge for everyone.

The video of the presentation is embedded in the post or you can watch it directly over on YouTube if you'd like. In it he walks you through the entire process that happens from the time the PHP is executed all the way down to opcodes and bytecodes.

tagged: video presentation phpuk16 conference bytecode compiler machine code execution

Link: https://juokaz.com/blog/from-php-to-machine-code.html