Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

SitePoint PHP Blog:
The State of Accessibility in PHP Tools
Aug 03, 2015 @ 11:19:21

On the SitePoint PHP blog Parham Doustdar has posted a look at accessibility in PHP tools or how easy they make it for those with disabilities (such as his own blindness) to do their development work.

Usually when I tell people that I’m blind, many people ask me how I can use the computer. “Is someone reading you my messages?” I remember someone asking. Many people imagine that I have this super-nifty speech recognition software that I can just talk to, and it would do anything, even write code. Imagine dictating code to a speech recognition system! [...] I gave an answer on Quora, to someone who had asked How does a visually impaired computer programmer do programming? I recommend you go through that answer to have a better context on what I’ll be talking about in this post.

He starts with a look at how visually impaired people could normally use a computer using screen readers, interaction with the software (all through the keyboard) and some things that just can't be done with this setup. He covers some of the issues screen readers have when parsing web applications and links to the WebAIM articles page for more information there. He then gets into the IDE comparison covering essential, assistance and supplementary features as well as community engagement around accessibility issues. He compares:

  • PHPStorm
  • SublimeText
  • NetBeans
  • Eclipse-based IDEs (Zend Studio, Eclipse PDT)
  • Notepad++

Unfortunately, most of the software on his list received a rating of "zero" on the scale with the exception of Notepad++, though it still has places it falls flat.

tagged: accessibility tools blind programming ide comparison screenreader

Link: http://www.sitepoint.com/the-state-of-accessibility-in-php-tools/

SitePoint Web Blog:
PHP vs Node.js Smackdown: Right of Reply
Jul 09, 2015 @ 09:53:22

in response to the previously posted Node.js vs PHP "Smackdown" article on the SitePoint Web blog, PHP blog editor Bruno Skvorc and an author from the SitePoint Javascript channel, James Hibbard, come back with their own rebuttal to some of the points made in the previous article from a more "PHP perspective."

In SitePoint's recent PHP vs Node.js Smackdown, Craig Buckler pitted these development disciplines against each other over a series of ten challenges, to determine which is the overall winner. As Craig notes in the article, these comparisons are always somewhat controversial. As a fun followup, we asked Bruno Skvorc (SitePoint's PHP editor) and James Hibbard (one of SitePoint's JavaScript editors) to provide a commentary on each of the rounds.

For each of the rounds, they start with a summary of the related findings by Craig in the first article and share comments from both Bruno and James. With his slant towards Javascript James often agrees with what the original article stated but Bruno usually disagrees or adds comments in to clarify the PHP side of the situation (from a more insider's perspective).

tagged: smackdown nodejs language comparison reply brunoskvorc jameshibbard

Link: http://www.sitepoint.com/php-vs-node-js-smackdown-right-of-reply/

SitePoint Web Blog:
SitePoint Smackdown: PHP vs Node.js
Jul 08, 2015 @ 11:09:25

The SitePoint Web blog has posted a "smackdown" comparing two popular languages, PHP and Node.js, based on several different points.

The web is ever-changing technology landscape. Server-side developers have a bewildering choice of long-standing heavy-weights such as Java, C, and Perl to newer, web-focused languages such as Ruby, Clojure and Go. It rarely matters what you choose, presuming your application works.

But how do those new to web development make an informed choice? I hope not to start a holy war, but I’m pitting two development disciplines against each other: PHP and Node.js.

He goes through ten "rounds" of evaluations on various points including how easy it is to get started, help & support options, development tools available and hosting & deployment options. In the end, it's his opinion that the winner overall (it was close) is Node.js. However, he does end with one word of advice:

My advice: assess the options and and pick a language based on your requirements. That’s far more practical than relying on ‘vs’ articles like this!
tagged: smackdown nodejs language features comparison winner

Link: http://www.sitepoint.com/sitepoint-smackdown-php-vs-node-js/

Security Affairs:
PHP hash comparison flaw is a risk for million users
May 12, 2015 @ 09:15:10

A recent issue has come (back) to light in the security community around how PHP compares hashes. In this post to the Security Affairs site they talk about the problem of hash comparison and how to prevent the issue in your own PHP code.

Because of a security flaw according to which PHP tackles ‘hashed’ strings in specific situation attackers are given the opportunity to try and breach passwords, authentication systems and other functions being run on PHP hash comparisons, WhiteHat security researcher says. VP of WhiteHat, Robert Hansen, declared that any website is vulnerable to the flaw – the only thing is, two specific kinds of PHP hashes the vulnerable site uses for comparing ‘hashes’ in PHP language.

The problem comes with how PHP handles its typing behind the scenes mostly. When a string starts with "0e.." PHP interprets it as scientific notation and sees it as a value equal to zero. As a result, two strings, even if they don't match, that start with "0e..." will evaluate as equal. Fortunately, the answer is relatively simple (though could be time consuming to fix): change == (double equals) to === (triple equals). This prevents PHP from trying to do the type juggling and compare them on the types they are when presented (string to string in the case of hashes).

tagged: hash comparison flaw doubleequals tripleequals

Link: http://securityaffairs.co/wordpress/36732/hacking/php-hash-comparison-flaw.html

Anthony Ferrara:
It's All About Time
Dec 01, 2014 @ 10:46:15

In his latest post Anthony Ferrara talks about a tricky subject in PHP - timing attacks. A timing attack has to do with vulnerabilities that can come up because of the differences in time it takes to perform cryptographic operations (like hashing or encrypting).

An interesting pull request has been opened against PHP to make bin2hex() constant time. This has lead to some interesting discussion on the mailing list (which even got me to reply :-X). There has been pretty good coverage over remote timing attacks in PHP, but they talk about string comparison. I'd like to talk about other types of timing attacks.

He starts with a definition of what a remote timing attack is and provides an example of a simple script showing the delay that's key to the attack. His script deals with string location but it gives you an idea of how the attack works and where the danger lies. He points out that even remotely attackers could determine the times to perform operations (down to the nanosecond) and use this to their advantage. He points out that both == and === are vulnerable to this type of attack because of how the comparison happens. He gives two options (one an internal function) to help protect your application and briefly covers a few other types of timing attacks: index lookup, cache-timing and branch-based timing attacks.

tagged: timing attack comparison time example tutorial introduction prevent

Link: http://blog.ircmaxell.com/2014/11/its-all-about-time.html

VG Tech:
Comparing Your Privates in PHP
Mar 19, 2014 @ 09:56:33

In a new post to their blog, the VG Tech folks talk about "comparing your privates" with a "hidden" feature of PHP. Don't worry, they're referring to private class properties on object instances here...

I was going to compare several private properties between to objects and started making a piece of code to perform the actual comparison using getters for the properties. I felt the approach sucked, and started looking into alternatives way to do this.

He shares what the current PHP documentation shares about comparing objects, but neither of them take private properties into account. He remembers, however, that object visibility is at the class level not instance level, allowing two object instances of the same class to have access to all properties of the other, regardless of exposure level. He includes a code snippet showing how to use this to compare those private properties.

tagged: private comparison object instance class

Link: http://tech.vg.no/2014/03/14/comparing-your-privates-in-php/

Benjamin Eberlei:
SOAP and PHP in 2014
Jan 31, 2014 @ 09:44:42

Benjamin Eberlei has a new post today looking at the future of SOAP in PHP for the upcoming year. In his opinion, despite negative comments and harassment the technology gets, it still has the advantage over REST.

These last years REST has gotten all the buzz, everybody seems to be using it and there are lots of talks about REST on conferences. SOAP used to be big for building APIs, but everybody seems to hate it for various reasons. I have used SOAP in several projects over the last 10 years and this blog post is a random collection of information about the state of SOAP in PHP 2014, as a reminder to myself and to others as well. Why care about SOAP in 2014? For server to server (RPC) communication it still has massive time to market and stability benefits over REST.

He points out some things REST lacks like a standard to describe endpoints and a way to automatically generate clients in any language. He then gets into some of the basics of SOAP and PHP's included functionality. He shows some of the configuration options you can use for things like debug output, exceptions and custom exception handlers. He recommends the Zend Frameworks SOAP Autodiscovery for generating WSDLs and the XSD-TO-PHP library to create objects from a well-defined WSDL. He covers the different modes you can use to "talk SOAP" and using the ZendSoapClientLocal to make a request without the need of a web server.

tagged: soap rest comparison wsdl soapserver introduction

Link: http://www.whitewashing.de/2014/01/31/soap_and_php_in_2014.html

Samantha Quinones:
Juggle Chainsaws, Not Types
Nov 22, 2013 @ 09:25:33

Samantha Quinones has a new post today about something that has been known to trip up both new and experienced PHP developers - PHP's dynamic type juggling.

No matter how popular an activity it is, I really don’t like to bash on PHP. Every language has its flaws when you look closely enough, and if PHP wears its idiosyncrasies a little closer to the surface than most, I think it makes up for it in other ways. PHP’s handling of types, however, is confusing at best and at worst completely deranged.

She goes on to talk about the issues with type comparisons and how much trouble using the "==" (double equals) versus the "===" (triple equals) can potentially cause. While it's easier for new PHP developers to get caught by this issue, even experienced devs might miss it. She gives an example of a time in her own development involving the comparison of strings against constants and in_array's non-string type comparisons.

tagged: type juggling strict loose comparison inarray

Link: http://www.tembies.com/2013/11/juggle-chainsaws/

ZFort Group:
The Battle of the Titans. Zend vs. Symfony
May 23, 2013 @ 11:55:45

In this new post to the ZFort blog Elena Bizina compares Symfony and Zend Framework from her perspective, looking at things like functionality, general understanding and community.

Zend and Symfony are the two frameworks that are often compared. Which one is more functional? Which one is more preferable in terms of productivity? Which one is better for general understanding? Which of these two has a larger community? I’ve asked Zfort Group experts to help me with these questions, and here’s what we have come to.

She first gives a high-level overview of each framework, pointing out a few of the features and tools they have built-in. She then goes on to answer the questions above, noting that she sees Symfony as coming out in the lead. Some of the questions are a little vague, so it's not entirely clear why one is different than the other. What do you think? Leave a comment here with your opinions.

tagged: zendframework symfony framework comparison

Link: http://www.zfort.com/blog/zend-vs-symfony

Codeception.com:
Specification or Testing: The Comparison of Behat and Codeception
May 08, 2013 @ 09:28:34

On the Codeception site today there's a new post that compares their tool, Behat and PHPUnit for testing your applications.

This is guest post by Ragazzo. He uses Behat as well as Codeception for making his project better. He was often asked to do a comparison between Codeception, Behat, and PhpUnit. In this post he explains the commons and different parts of this products.

The author talks some about the difference between functional/acceptance tests and how they fit in with behavior driven development. He includes some examples of Behat test formats (Gherkin) and how it can be used for both the functional and acceptance side of things. He also talks some about why he prefers Codeception over Behat(+Mink) for his testing. A sample Codeception test is included, showing a login form check.

tagged: codeception testing behat phpunit acceptance functional comparison

Link: http://codeception.com/05-06-2013/specification-testing-coparison.html