Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Robert Basic:
PHP traits to create test doubles
Apr 04, 2017 @ 15:47:15

In a new post to his site Robert Basic shows how to make use of traits to create test doubles in your unit testing practice. He sees them as a simple method for keeping tests clean and not having mocks/fakes/etc. all over.

Keeping your application or library code well organized, easy to follow, and read is important. Your test code should not be exempt from those rules, you should follow good testing conventions.

One part of my tests that I feel like that are out of control are the test doubles. Dummies, fakes, mocks… Seems like they are everywhere and that I keep writing the same ones over and over again. I do follow some good practices on how to reduce code duplication in my tests, but these mocks… Ugh.

He starts with a simple example, showing a test that evaluates the result of a transaction being executed (true or false). However, he describes the eventual "creep" of the tests as more are added and, with each, more "transaction" object instances are required. He suggests refactoring the creation of those doubles into traits where the class they're called from can inherit them and test setup is a bit cleaner. He proposes a "trait for every double" so that they can be easily included as needed and without conflict.

tagged: traits unittest double mock tutorial example setup object

Link: https://robertbasic.com/blog/php-traits-to-create-test-doubles/

Paragon Initiative:
Preventing Timing Attacks on String Comparison with a Double HMAC Strategy
Nov 09, 2015 @ 18:07:19

The Paragon Initiative has a post showing you how to prevent timing attacks when comparing strings using a double HMAC method. Essentially this method replaces timing safe comparison methods (non-native) using a constant key in the HMAC generation.

One of the common cryptographic side-channels that developers should be aware of is how long a specific operation, such as a string comparison, takes to complete. Thus, they are called timing attacks. [...] Timing attacks are possible because string comparison (usually implemented internally via memcmp()) is optimized. [...] These concerns have led many security to propose a Double HMAC strategy instead of writing a constant time comparison loop where one is not already provided (e.g. PHP before 5.6.0).

He points out that while the has_equals approach can be effective in preventing this kind of issue, if you're not running PHP 5.6 you're a bit out of luck. There are polyfill functions that mimic it but he suggests another option - the double HMAC. He includes an example of the code to perform this kind of evaluation, using the same constant key value in the HMAC generation for both input strings. He then refactors this and shows how to use a more randomized key making use of the native CSPRNG functions coming in PHP 7 (ployfill available for this too).

tagged: prevent timing attack double hmac comparison hashequals polyfill

Link: https://paragonie.com/blog/2015/11/preventing-timing-attacks-on-string-comparison-with-double-hmac-strategy

DZone.com:
Self-Initializing Fakes in PHP
Dec 05, 2011 @ 16:03:53

In a new post over on DZone.com Giorgio Sironi shows how to create a fake, an interface that mocks the interface to an external tool and provides cached results back to the calling script.

We can specialize our Fake in a Self-Initializing Fake, which will provide an alternative implementation with the aid of the real one. In our Google Maps case, the Fake will use the real web service for its first response, and maintain an internal cache. This mechanism provides insurance about out-of-sync responses, and lets you enjoy the speed of unit tests after the initial warmup: if you always use the same data, no duplicate requests will be made to the external resource.

He includes example code for creating a test (with PHPUnit) that loads in the information from the Google Maps web service and caches it into a private variable inside the Fake. His test fails the first time checking for a difference in the time between fetching the real version and the cached version (fails the first time, but passes after the cache is implemented).

tagged: selfinitializing fake double test unittest phpunit

Link:

Working Software Blog:
Escaping single and double quotes for use with XPath queries in PHP
Aug 19, 2011 @ 18:50:14

On the Working Software blog there's a new post showing a solution to a issue with escaping quotes in XPath queries that's not just an issue in PHP.

I've been working with the Basecamp API to plugin our IRC bot that we use for time tracking and I'm astounded to learn that escaping single and/or double quotes for XPath queries in PHP does not have a well documented, best practices solution. In fact, it seems as though this is not peculiar to PHP. I took a look around and found this excellent article by "Kushal": http://kushalm.com/the-perils-of-xpath-expressions-specifically-escaping-quotes.

He's put together his own (PHP) solution to the problem - running the entire XPath query through a filtering method that splits it up, replaces the quote characters and combines it back down to a single string.

tagged: escape quote double single xpath query tutorial

Link:

PHP 10.0 Blog:
Making $$$ with PHP
Apr 02, 2007 @ 13:26:00

In a brieft post to the PHP 10.0 Blog today, Stas looks at a topic several PHPers out there have had to struggle with in their math-centric applications - how floats/doubles are handled in PHP.

Just wanted to write about the topic discussed elsewhere - how one could do money calculations with PHP? PHP has no BCD type and no arbitrary precision float type either. And for money calculations is it important to have it very precise - accountants can not allow even single penny to slip by (remember the plot of the Office Space movie?)

He basically says that the precision that PHP alone offers just isn't enough for some kinds of functionality. He also offers his own kind of solution proposal - switching the values back to (arbitrary-precision) integers and making all calculations in hundredth or thousandths of a cent.

Not that, according to Ron in the comments, there is in fact a BCMath extension already built for PHP.

tagged: floating point double bcmath extension floating point double bcmath extension

Link:

PHP 10.0 Blog:
Making $$$ with PHP
Apr 02, 2007 @ 13:26:00

In a brieft post to the PHP 10.0 Blog today, Stas looks at a topic several PHPers out there have had to struggle with in their math-centric applications - how floats/doubles are handled in PHP.

Just wanted to write about the topic discussed elsewhere - how one could do money calculations with PHP? PHP has no BCD type and no arbitrary precision float type either. And for money calculations is it important to have it very precise - accountants can not allow even single penny to slip by (remember the plot of the Office Space movie?)

He basically says that the precision that PHP alone offers just isn't enough for some kinds of functionality. He also offers his own kind of solution proposal - switching the values back to (arbitrary-precision) integers and making all calculations in hundredth or thousandths of a cent.

Not that, according to Ron in the comments, there is in fact a BCMath extension already built for PHP.

tagged: floating point double bcmath extension floating point double bcmath extension

Link:


Trending Topics: