Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Blog:
Building Secure Web Applications in PHP
Sep 21, 2015 @ 16:15:56

The Paragon Initiative has posted an article to their blog talking about how to build secure applications in PHP. Rather than try to get into the specifics of specific vulnerabilities, they stay relatively high level and stick with concepts to keep in mind and steps you can follow to ensure your development practices are secure.

Whether you're planning the development of a brand new application or trying to prevent legacy code from causing a costly data breach, if you're going to be writing PHP, where should you begin? That is the question we will attempt to answer, in detail.

The article starts with an "easy way out" for those that don't feel like they know enough or just don't have the resources they need: hire consultants. With that out of the way, the article mentions two root causes for insecure apps: lack of knowledge about security and bad development habits. They then get into some suggestions about how you can learn to understand and prevent vulnerabilities in your own applications. They focus in on a few key places for PHP developers to pay attention to, complete with some charts showing the parts of the flow. The post ends with some advice on what do to if your site is compromised anyway and how to move forward.

tagged: secure application advice common issues developer

Link: https://paragonie.com/blog/2015/09/building-secure-web-applications-in-php

Kevin Ennis:
On Unit Testing
Jul 27, 2015 @ 11:48:31

On Medium.com Kevin Ennis has shared some thoughts on unit testing and how he's "done a 180%" on what kind of value he feels they bring.

There are a lot of really easy ways to rationalize not testing your code, and I’m probably guilty of saying each of them at one point or another. For some engineers, I think the reluctance to embrace unit testing is basically just FUD. Like so many other things, testing seems scary if you haven’t done it before.

But it’s also really difficult to fully understand the benefits of testing unless you’ve worked on a project that has good tests. So it’s easy to see why?—?without fully understanding the upside?—?many developers regard unit testing as an unnecessary step.

He goes through several of the common excuses for not writing unit tests and debunks them one at a time. He also includes a brief section at the end of the post with a recommendation on how to get started testing...essentially "just do it".

tagged: unittest opinion common rationalization fud

Link: https://medium.com/@kevincennis/on-unit-testing-1cc6798f81ee

Blackfire.io Blog:
How Blackfire leverages Docker
May 01, 2015 @ 10:08:34

The Blackfire.io PHP debugging service (from SensioLabs) has a new post to thier blog today talking about how the service makes use of Docker to build the environments for testing out their users' code.

As you may know, Blackfire was represented at the SymfonyLive conference in Paris. During this event, several people came to us and asked how we use Docker at Blackfire.io. One of our goals is to make profiling straightforward for anyone, and it means that we need to be able to easily test our product on a lot of different platforms. And Docker gives us the ability to spin up new containers in milliseconds.

Moreover, our website relies a lot on different tools, so containers can also help us reach an iso-production development environment. But Docker is only available on Linux and a big part of the Blackfire's team is using MacOS X. So how one using MacOS X can use the best of both worlds?

The post goes on to talk about their use of the boot2docker tool and how they can use it to help with the environment customization most developers want out of their testing. They show how it updates the network settings, works with file sharing, allows for multiple domain names/containers and solutions to some other common issues including no container access, no name resolution and a "bonus" section with a Skydock plugin for custom DNS naming.

tagged: blackfireio docker example common issue boot2docker

Link: http://blog.blackfire.io/how-we-use-docker.html

Pádraic Brady:
TLS/SSL Security In PHP: Avoiding The Lowest Common Insecure Denominator Trap
Apr 24, 2015 @ 10:30:50

In his latest post Pádraic Brady shares his thoughts about the state of TLS/SSL functionality in PHP and how he thinks developers should avoid the trap of "lowest common denominator" and opt for insecurity.

A few weeks back I wrote a piece about updating PHARs in-situ, what we’ve taken to calling “self-updating”. In that article, I touched on making Transport Layer Security (TLS, formerly SSL) enforcement one of the central objectives of a self-updating process. In several other discussions, I started using the phrase “Lowest Common Insecure Denominator” as a label for when a process, which should be subject to TLS verification, has that verification omitted or disabled to serve a category of user with poorly configured PHP installations.

This is not a novel or even TLS-only concept. All that the phrase means is that, to maximise users and minimise friction, programmers will be forever motivated to do away with security features that a significant minority cannot support by default.

He goes on to talk about how, in some places, targeting the lowest common denominator is okay, security isn't one of them. He also includes four basic concepts developers can adhere to to prevent this targeting:

  • You should never knowingly distribute insecure code.
  • You should accept responsibility for reported vulnerabilities.
  • You should make every effort to fix vulnerabilities within a reasonable time.
  • You should responsibly disclose vulnerabilities and fixes to the public.

He follows these up with three steps you can follow to migrate an insecure architecture into something much more robust. This includes identifying the consequences of the update and documenting the solutions you've chosen, be those configuration updates or library changes.

tagged: tls ssl security lowest common insecure denominator trap avoid

Link: http://blog.astrumfutura.com/2015/04/tlsssl-security-in-php-avoiding-the-lowest-common-insecure-denominator-trap/

SitePoint PHP Blog:
7 More Mistakes Commonly Made by PHP Developers
Jul 25, 2014 @ 11:29:28

Following several other posts with the "common mistakes PHP developers make" theme, Bruno Skvorc has posted his own list of seven things he sees developers doing over and over.

Back at the end of June, TopTal, the freelance marketplace, published a post about 10 Most Common Mistakes PHP Programmers Make. The list wasn’t exhaustive, but it was well written and pointed out some very interesting pitfalls one should be wary of – even if I wouldn’t personally list the mistakes as very common. I encourage you to give it a thorough read – it has some truly valuable information you should be aware of – especially the first eight points.

His additions to the list of common mistakes includes:

  • Using the mysql extension
  • Not rewriting URLs
  • Assigning in Conditions
  • Being Too Transparent

You can read the full list and summaries of each in the rest of the post.

tagged: common mistakes list more

Link: http://www.sitepoint.com/7-mistakes-commonly-made-php-developers/

Anna Filina:
Common PHP Mistakes
Jul 21, 2014 @ 13:53:31

Anna Filina has posted her own addendum to a top ten list of common PHP programmer mistakes, adding seven more of her own.

I was recently asked by one of my readers to give feedback on the following article he read: 10 Most Common PHP Mistakes. It is well written and very thorough. Most of the tips are specific to PHP, others are about web programming in general or database performance. It’s a very good read. I was also asked to contribute to this list, so here are 7 more tips.

Her list of seven touches on topics like caching, allowing SQL injection, disabling error reporting and ignoring accessibility. She also includes some configuration settings, code and links to other tools/resources to help provide information on preventing these other mistakes.

tagged: common programmer mistakes additional tips

Link: http://afilina.com/common-php-mistakes/

Toptal Blog:
10 Most Common PHP Mistakes
Jul 17, 2014 @ 12:52:40

On the Toptal blog Ilya Sanosyan has a post sharing what he sees as the top ten most common mistakes PHP developers make on a day to day basis. While most of the tips are code-specific there are one or two that are a bit more abstract.

PHP makes it relatively easy to build a web-based system, which is much of the reason for its popularity. But its ease of use notwithstanding, PHP has evolved into quite a sophisticated language, with many nuances and subtleties that can bite developers, leading to hours of hair-pulling debugging. This article highlights ten of the more common mistakes that PHP developers need to beware of.

Among the items on his list are things like:

  • Leaving dangling array references after foreach loops
  • Confusion about returning by reference vs. by value
  • Memory usage headfakes and inefficiencies
  • Assuming $_POST will always contain your POST data
  • Thinking that PHP supports a character data type

Each of the items comes with a good description, some code and suggestions on how to avoid and/or fix it in your applications.

tagged: common language mistakes top10 list

Link: http://www.toptal.com/php/10-most-common-mistakes-php-programmers-make

Timoh's Blog:
PHP data encryption cheatsheet
Jun 17, 2014 @ 10:52:44

Timoh has published a data encryption cheatsheet to his blog today. It's "a short guide" to help you prevent some of the more common encryption-related problems in your application, specifically around symmetric data encryption.

This cheatsheet assumes a “client-server” situation, which is probably a typical case with PHP applications. Naturally the recommendations given here are not the “only possible way” to handle data encryption in PHP, but this cheatsheet aims to be straightforward and tries to leave less room for mistakes and (possibly confusing) choices.

The cheatsheet includes information on topics like:

  • Encryption algorithm / mode of operation / nonce (initializing vector)
  • Encryption and authentication keys
  • Key stretching
  • Key storage and management
  • Data compression

It's jam-packed full of great information, so definitely check it out if you're doing any kind of encryption in PHP.

tagged: data encryption cheatsheet common mistakes

Link: https://timoh6.github.io/2014/06/16/PHP-data-encryption-cheatsheet.html

Doctrine Project:
Our HHVM Roadmap
Dec 24, 2013 @ 11:57:58

The Doctrine project has posted an update about the work being done in collaboration with and to help its performance with HHVM (the HipHop VM from Facebook) and talking about their future plans.

Facebook has been pushing HHVM alot lately, helping open source projects to get their test-suite running 100%. For Doctrine HHVM is particularly interesting, because of the performance gains that the complex PHP algorithms inside ORM would probably get. From my current feeling Doctrine will be the PHP open-source project getting the most gain from running on HHVM. However with the tests not yet passing on the ORM, we can only imagine how big that performance improvement will be.

One of their goals is to be able to run DBAL/ORM on HHVM with 100% passing tests. So far they've been working on Common project functionality and have three as fully supported under HHVM - Collections, Inflector and Lexer. Work is still being done on other parts of the codebase, with the ORM and DBAL being the lion's share of the job.

tagged: doctrine project hhvm facebook orm dbal common

Link: http://www.doctrine-project.org/blog/our-hhvm-roadmap.html

Why don't you contribute to PHP?
Sep 05, 2013 @ 13:26:29

On Reddit.com today nikic asks you why you don't contribute to PHP, that is to the language itself or the community around its improvement.

I know many of you care about PHP and have suggestions about how to improve it. My questions is: What prevents you from writing a mail to the internals mailing list with your suggestion/proposal (or to participate in existing discussions)? [...] I'd be interested in your opinions and hope that things can be improved based on them.

Some of his own examples to kick off the discussion include time constraints, not being able to write the patch themselves and some of the issues with the culture of the internals mailing list. Other suggestions from the comments include lack of confidence in coding skills (C++), the possible lack of interest in the RFC and the current state of the language's codebase.

tagged: contribute language reason common list

Link: http://www.reddit.com/r/PHP/comments/1lsha2/why_dont_you_contribute_to_php/